Gmail Begins Signing Email with DomainKeys 416
NW writes "According to a post at IETF's MAIL-SIG list, Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures. This is the first large provider of email that is actually doing so (not even Yahoo has started that yet)."
Continue the trend (Score:5, Insightful)
Re:Continue the trend (Score:5, Insightful)
-russ
Re:Continue the trend (Score:3, Insightful)
Re:Continue the trend (Score:5, Insightful)
-russ
Re:Continue the trend (Score:5, Insightful)
An important hole in the phishing protection is that there will quickly be domains like ebaysecurity.com, paypalinfo.org, or paypalfraudunit.com ad nauseam, the possible iterations over which can't all be preemptively registered, which could have perfectly valid DomainKeys signatures because the phishers would control the domains.
Re:Continue the trend (Score:5, Insightful)
-Your receive a message
-You check the DNS for the key
-It has one, but the message isn't signed. Drop the message.
Receivers that don't check the key of course won't realize they're getting fraudulent mail, but those that do will with absolutely certainty - if Google publishes that they sign their emails, then you can be absolutely certain that unsigned emails are fakes and dump them. If the sending domain doesn't have a key then you obviously can't take advantage of this.
An important hole in the phishing protection is that there will quickly be domains like...
Excellent point that is very true. While this is another tool for the clueful, the clueless will happily believe derivatives, and as you mentioned they will be fully "authenticated". paypa1.com anyone?
Re:Continue the trend (Score:2)
That's the whole point behind being able to share domainkey info.
Re:Continue the trend (Score:5, Interesting)
"However, it is possible that Certificate Authorities may become a valuable addition to the DomainKeys solution to add an even greater level of security and trust."
So, to extend the "SUSPECT" folder, are we eventually going to find ourselves in the position where we all have to pay a CA simply to avoid having mail from private domains being bounced by big/wealthy/corporate providers.
This would suck, I have about 20 domains that I serve mail for, a couple of commercial ones, but mainly domains for friends, myself etc. At 50 odd dollars a throw, that'd be $1000 dollars a year.
Don't get me wrong, public verification would be nice in certain circumstances, but I can't see how this would happen without incurring considerable cost, after all, what you are paying for (in theory) is for someone else to verify you are who you say you are - this is a service that quite rightly is chargeable.
To go one step further, it would also (once more, in theory - in my experience the checking done for CA signed certs is non-existent/trivial to circumvent) reduce the anonymity and privacy on the net that we all value so highly - at least as far as email is concerned.
Re:Continue the trend (Score:2)
Yes, you're right that ebay.com will have to tell people that ONLY email from ebay.com is actually FROM ebay.com and ONLY if it's signed.
-russ
Re:Continue the trend (Score:3)
Re:Continue the trend (Score:5, Funny)
Re:This will work - differential filtering (Score:5, Insightful)
Re:Continue the trend (Score:3, Insightful)
(We do this at work, at the server everything is gpg signed with a company key that is broadcast to customers or is generated by our billing system)
Re:Continue the trend (Score:5, Insightful)
In order for this to be the most useful, the solution needs to be usable by everybody. Yahoo has come up with a workable system, and has licensed it to everybody for free use (I await the EFF's opinion on the terms of use, but it looks pretty good to me.)
Google has seen Yahoo's solution and deemed it 'good'. They'll use it, and traction will thus be gained. According to the article, sendmail is working on an implementation of it, for which I rejoice.
The biggest hurdle to using this is to actually get others using it. Google has decided to throw their weight behind Yahoo's implementation. Fortunately, they've beaten the proprietary versions. I can't imagine anyone now going with a pay to use version, when this is available.
You can also build in as much security as you want, since RSA keylength is decidable by the domain, rather than fixed.
Hooray!
HanzieRe:Continue the trend (Score:5, Informative)
Re:Continue the trend (Score:5, Informative)
Re:Continue the trend (Score:5, Insightful)
Re:Continue the trend (Score:5, Interesting)
7. Yahoo is suggesting a solution that *should* have been the first thing everyone tried. Inventing complex new mail records is just silly.
Extremely bad advice (Score:5, Informative)
Do not ever do this! It is an extremely bad advice.
From addresses are almost always forged, usually there are just random junk in the From. Quite often there are valid addresses there, and your autoresponders will spam those innocent bystanders. They will be very thankful, you bet!
Finally, it is not uncommon that spammers forge in anti-spammers who have successfully shut them down before in there. When I was still actively pursuing spammers, I had my addresses forged this way. I have had my share of moronic autoresponders. It is not fun at all. If you do this, you only contribute to the spam, and you bet that if you annoy a real anti-spammer enough, you will find your own connection to be a smoking hole faster than you can imagine.
In fact, having autoresponders at all is not recommendable at all at this time. If you first accept an e-mail and then generate a bounce message, if the MAIL FROM was forged, that bounce will go to a random bystander, which is bad. If you use autoresponders, or generate bounce messages, you should be careful not to bounce at forged from addresses.
Allthough it is a bit controversial still, you may configure your system to reject spam and viruses at SMTP time. Then you will not generate a bounce, a relay may, but then, hijacked relays usually don't either (I think it is good reasons for this). So, I am of the opinion that this is good practice.
Autoresponders are Evil however.
Re:Continue the trend (Score:2, Interesting)
I mean, without some third-party software. hmm.. don't know how entourage (or outlook) would work with labels though.
What!? (Score:4, Funny)
Re:What!? (Score:5, Insightful)
All of these spam identification methods merely provide reliable authentication of the sender's domain. The rest is up to you. You still have the responsibility to maintain spam filters.
Having reliable identification is a first step. A very important first step.
Re:What!? (Score:2, Informative)
Yes, if the spam originated from gmail, then the weird address is verifiably correct. However, there is no safeguard in place to prevent spoofing of gmail addresses from other domains.
I like Google a lot. I also think this kind of authentication system is absolutely necessary in the long run. I do not think that it needs to be plastered all over the news every time some obscure anti-spam safeguard goes up.
Re:What!? (Score:3, Informative)
Re:What!? (Score:5, Informative)
Re:What!? (Score:3, Funny)
It takes all those PhDs at Google (Score:4, Funny)
Re:It takes all those PhDs at Google (Score:2, Redundant)
Ok... DOH!
Hazards of skim reading.... (Score:5, Funny)
Re:Hazards of skim reading.... (Score:2)
Re:Hazards of skim reading.... (Score:5, Funny)
beta!? (Score:4, Funny)
You? Google? (Score:2, Funny)
I hate to break this to you... but you're not Google!
Reminds me of Sealab 2021 (Score:2, Insightful)
Stimutax!
Step 1: Make something addictive.
Step 2: Give it out for free.
Step 3: Start charging money.
Step 4: Rake in the money!
One of the greatest episodes ever.
"It feels like a Koala crapped a rainbow in my brain"
Re:beta!? (Score:3, Funny)
Just not yet
Re:beta!? (Score:3, Funny)
Good day for it too, oh yes indeed!
domainkeys, SPF (Score:5, Interesting)
In fact, it could be worse since now a calculation is required to verify the sender in addition to the DNS query.
Anybody care to enlighten me?
Re:domainkeys, SPF (Score:5, Informative)
-russ
Re:domainkeys, SPF (Score:2)
If I send you a message, I don't want you to be able to forward it to anyplace you want and still have it claim to be form me.
Re:domainkeys, SPF (Score:3, Informative)
Re:domainkeys, SPF (Score:2)
Re:domainkeys, SPF (Score:2)
Re:domainkeys, SPF (Score:5, Informative)
SPF verifies that the IP address of the mail server sending you the email is authorized by the domain to do so. This causes problems when email is forwarded, such as via pobox.com. It requires all email to be sent through "authorized" servers, which can cause problems when people are working from home and want to send email, or when you are in a cyber cafe. It also causes problems when email is generated on greeting-card/news-story websites.
DomainKeys creates a hash of the email body and some of the headers and uses public key technology to sign it. This causes problems when email is sent to a mailing list and the mailing list mangles it or when it is sent through things like MS Exchange servers. There are also problems with being able to replay the message. Like SPF, there are problems people are working from home and want to send email, or when you are in a cyber cafe. Also like SPF, also causes problems when email is generated on greeting-card/news-story websites.
Using DomainKeys, a spammer can send an email from a throw-away gmail account to another email account, pick up a copy of the spam with the correct domainkeys signatures, and then blast it out to everyone. I can't see any way to prevent this with domainkeys.
Many mailing lists add stuff at the end, either unsubscribe/archive info, or outright ads. In order to make DomainKey signatures survive being sent through mailing lists, the email body is converted to a "canonical form", which allows this extra text to be ignored.
The problem is that a spammer can subscribe to a mailing list, watch for emails without much text, then add their own ads (spam) onto the end and send it out.
I think domainkeys is an interesting idea, but as of right now, I can't see how it is ever going to work or be useful.
Re:domainkeys, SPF (Score:5, Informative)
The recipient should probably have their mailing list sources whitelisted. Or the mailing list could insert a Sender: header and resign the message.
or when it is sent through things like MS Exchange servers.
This is indeed a problem, but the -01 spec has c=nofws and h= which should go a long way towards fixing that.
There are also problems with being able to replay the message.
True, but you can't replay it with different recipients.
Like SPF, there are problems people are working from home and want to send email,
Your workplace can give you a selector and private key of your own so you can configure your MUA or MTA to sign email. (I realize that I'm creating software from whole cloth here, but we're talking about the capability of a standard, not the existance or capability of the implementations of it).
or when you are in a cyber cafe. Also like SPF, also causes problems when email is generated on greeting-card/news-story websites.
Typical email use in a cyber cafe (that I've observed anyway) is a webmail host. The greeting-card/news-story websites will have to stop forging email.
Using DomainKeys, a spammer can send an email from a throw-away gmail account to another email account, pick up a copy of the spam with the correct domainkeys signatures, and then blast it out to everyone. I can't see any way to prevent this with domainkeys.
gmail will start to get LOTS of queries for that selector. If they've given out one selector for each user, they'll be able to revoke the key for that user.
-russ
Re:domainkeys, SPF (Score:5, Interesting)
an interview [circleid.com] with the creator of SPF that compares it with DomainKeys
Example (Score:4, Informative)
SPF (Score:4, Interesting)
Oh yeah, and gmail already support SPF. Why promote different standards that are apparently identical in purpose?
Re:SPF (Score:5, Interesting)
-russ
Header Example (Score:5, Informative)
DomainKey-Signature: a=rsa-sha1; c=nofws;
s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subje
Re:Header Example (Score:5, Insightful)
Your spam filter cares about the non-readable text in the header?
Re:Header Example (Score:2, Funny)
Re:Header Example (Score:2)
-russ
Re:Header Example (Score:2)
Re:Header Example (Score:5, Informative)
You're kidding, right?
The DomainKeys proposal has been submitted as an Internet-Draft [ietf.org]. In other words, the DomainKeys-Signature header field is on the best possible track to becoming a recognized field. The only thing that recognition would mean that the DomainKeys-Signature field could not be used for other purposes.
Even so, RFC 822 [ietf.org] does not require private header fields (what it calls "user-defined fields") to begin with X-; it is merely offered as good advice to those who never intend to seek official recognition for their fields.
Of course, the extension field name registry endorsed by RFC 822 does not exist, and in fact, no extension field name registry for 822-format messages exists. (It seems like IANA should maintain one, but they don't. RFC 2076 [ietf.org] is a good start.) The best guidance is to treat de facto usage as the standard, and allow for expansion through the formal RFC procedures, of which publication as an Internet-Draft is an element.
And remember, it's already an Internet-Draft [ietf.org].
Mark
I'd like to see personal signatures (Score:2)
Re:I'd like to see personal signatures (Score:2)
-russ
Re:I'd like to see personal signatures (Score:2, Insightful)
So, no more SMTP-server for me? (Score:3, Interesting)
So I would have to use their web-interface, or hope they wil eventually make a smtp-server useable for a fee
Not that this is not their right and all, and I could just stop using it if I don' like it, free service, yada yada..
Still, this gives a little too much control to my email-domain-provider about which smtp-server I can use, than I am comfortable with.
Re:So, no more SMTP-server for me? (Score:2)
You could always use Reply-To:.
-russ
Re:So, no more SMTP-server for me? (Score:5, Informative)
The sender has to take explicit steps to cause this to break.
-russ
Domain Keys question (Score:5, Interesting)
When I send mail, I use my domain in the "from."
However, my domain provider doesn't allow smtp, so my outgoing mail is through my ISP.
If my ISP supports domain-keys, they will sign my outgoing mail, but it will NOT match my totally-legitimate "from."
According to the domain-keys summary, this would flag my mail. In medical terms, this is called a false-positive.
How does domain-keys prevent something like this from being a problem, other than by forcing users to adopt a completely different e-mail stragegy?
Re:Domain Keys question (Score:5, Informative)
If your ISP supports domain-keys, they won't sign your outgoing mail, because they don't have a private key and selector/public-key combination for your from:. If they trust that you are you (e.g. because they used smtp-auth with reasonably secure passwords), then they might insert a Sender: header with your authentication information in it.
The alternative is for you to sign your outgoing email, or deal with people's reaction to the reception of unsigned email.
-russ
Re:Domain Keys question (Score:4, Informative)
If my ISP supports domain-keys, they will sign my outgoing mail, but it will NOT match my totally-legitimate "from."''
I think DomainKeys takes this into account. If you provide a Sender: header, the domain in there will be used for signing the mail. So, the following mail:Your ISP would sign this mail, testifying that it indeed comes from the isp.com domain. The recepient sees the mail as verified, and sees the sender as anonymous@coward.org. His reply will also be directed there.
Re:Domain Keys question (Score:4, Interesting)
I'm not sure if outlook ignores reply-to or if it just asks a question with the sender address as default choice, but for some reason I always get the replys to the wrong address.
License Terms (Score:4, Interesting)
I've quoted some of the interesting looking parts below.
SPF and gmail (Score:5, Informative)
gmail.com. 300 IN TXT "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com ?all"
Received-SPF: pass (mojo: domain of gmail.com designates 64.233.170.203 as permitted sender) client-ip=64.233.170.203; envelope-from=xxx@gmail.com; helo=mproxy.gmail.com;
What we should question is why this is in my Exim logs for each gmail mail I receive:
2004-10-17 23:00:25 H=rproxy.gmail.com (mproxy.gmail.com) [64.233.170.203] Warning: remote host presented unverifiable HELO/EHLO greeting.
Email forwarding with own domain name (Score:2)
How would this work for people who use own domain name but forward their emails to Gmail
(Note: Gmail allows you the option of using a different Reply-To address instead of your @gmail.com address)
I want my TXT record back! (Score:5, Informative)
sanfrancisco._domainkey.example.net
In this case, "example.net" is the domain this is all about, and "sanfrancisco" is the name of they key (yep, it seems you can have multiple keys per domain).
I haven't looked too hard into DomainKeys, but it looks very promising.
Re:I want my TXT record back! (Score:3, Insightful)
_domainkey?
Is that underscore really meant to be there? Because _ is not supposed to be an allowable character for names in the DNS.
I hope that this is not Yet Another Impoverishment of internet standards...
Re:I want my TXT record back! (Score:4, Informative)
The underscore is not supposed to be present in host names. The restrictions on host names are much stricter than any restrictions imposed by the DNS protocol, which can handle just about any raw data as a name. If it resolves to an A record, possibly indirectly through a CNAME, the _ has no business being there.
The world uses DNS for more than host names, though, and there's nothing wrong with using underscores in other contexts. This isn't new. Think SRV records.
Why doesn't Yahoo... (Score:4, Interesting)
Doesn't surprise me. My domain was once hosted with a pretty satisfactory ISP called SimpleNet (what a name, but their service was good!!). They were absorbed by Yahoo and continued under the brandname Yahoo WebServices. So far, so good...
Over the years, I got more and more spam, so when Yahoo one time announced (I'm sure I read it on
Oh dear, had I underestimated Yahoo logic!! The reply was that I could upgrade my account to a business account (for 30+ bucks a month) to obtain the SERVICE (!!!) of spam filtering
No answer of course and I moved my domain to another ISP at the end of the year.....
What about... (Score:5, Insightful)
Tell me where I'm wrong.
Another Grand Unified Spam Solution(TM) (Score:5, Insightful)
The Google engineers aren't stupid, they know that mail messages are routinely modified in transit, both the headers, which can be wrapped, rearranged, removed or added, and the MIME bodies, which can be decoded, reencoded, and even modified.
As engineers, they also know that cryptographic signatures are designed to detect message tampering.
Combine these two ideas and you get a system which will flag routine message modifications as forgeries, making the DomainKeys signature completely useless in practice. And yes, I've read the rfc draft [ietf.org], and found it wanting.
It *would* work if there was a standard set of well defined transformations performed on emails from the sender's MUA to the recipient's MUA. So if one Gmail user sends to another Gmail user, it'll be ok, because the message won't leave Google's servers.
But Google has no control over other people's systems. When I download mail by POP3 from my ISP, they've added SpamAssassin headers, which will simply destroy the DK cryptographic signature. When I get mail at work, they remove ZIP attachments, which destroys the DK signature. When mail passes through an older gateway, some MIME attachments can be decoded and reencoded, destroying the DK signature.
I could go on but you see the point. Once I get the mail in my mailreader, the DK header is useless junk, and it might as well have been forged, for all the good it does. In fact, if my trust in Google is so high that I'm willing to accept the DK header even though it fails, just because Google are the only ones using it so far, I guarantee that the spammers will pick up on that real fast.
DK is a draft, and is far from ready yet. It should be allowed to mature. Google shouldn't be deploying incomplete solutions. Unless... could this the beginning of the PHB era at Google? If so, I'm disappointed.
Re:Another Grand Unified Spam Solution(TM) (Score:3, Informative)
The SpamAssassin headers shouldn't interfere with the signature because the DK signature includes a list of the headers that are included, and the SpamAssassin headers won't be there.
Your employer could check the signature and annotate the message prior to removing the
Re:Another Grand Unified Spam Solution(TM) (Score:4, Informative)
Most authentication header solutions are server-to-server, not concerned with what person is sending the message, only what service. Given that domain spoofing is a server issue, not a client issue, that's reasonable.
In addition there are also issues with most email authentication systems involving relays.
(explanation for public benefit) In email situations you have:
Your Side -- Their Side
Where Your Side or Their Side consists of many or few email servers. It's very rare these days to have this situation:
Your Side -- External Relays -- Their Side
Where the external relays are not controlled by either you or the other side. These relays can do things such as the MIME re-encoding, ZIP removal, etc that was mentioned above. This is bad, as there really is no way to distinguish between a properly modified and an improperly modified email once it passes through those relays.
But they're rare. As long as the both Your Side and Their Side both have authenticators set up somewhere in the chain before things are mangled, everything is fine.
So, for instance, if you want to remove ZIP files, defang HTML or MIME, virus scan, and markup for spam purposes, you can do that. Just make sure that it's done *after* authentication.
It's like putting a letter in an envelope: envelope's only good if you check the seal before opening it.
Re:Another Grand Unified Spam Solution(TM) (Score:5, Informative)
It's nowhere near as routine as you say. We struggled and struggled with this issue for months, and finally decided that we didn't have enough information about exactly what munging of messages actually happened "in the wild." Hence, the 00 draft had only tiny support for munging (allows for variable numbers of terminating CRLFs), and the 01 draft has only a little bit more.
Complexity is easy to add; simplicity is easy to lose. Simple specs get implemented; complex ones don't, or take longer to implement.
Combine these two ideas and you get a system which will flag routine message modifications as forgeries, making the DomainKeys signature completely useless in practice. And yes, I've read the rfc draft, and found it wanting.
The -01 draft? Did you miss the nofws canonicalization? Did you miss the h= tag which specifies the order of signing of headers?
But Google has no control over other people's systems. When I download mail by POP3 from my ISP, they've added SpamAssassin headers, which will simply destroy the DK cryptographic signature.
We have a committment from the SpamAssassin folks to support DK. That means checking the signature, and not munging.
When I get mail at work, they remove ZIP attachments, which destroys the DK signature. When mail passes through an older gateway, some MIME attachments can be decoded and reencoded, destroying the DK signature.
True. It's likely that complex corporate MTA configurations will need to check the signature at the border.
I could go on but you see the point.
Not really. Are you counselling inaction? Inaction is more likely to fail at stopping forgeries.
DK is a draft, and is far from ready yet.
Have you submitted your suggested improvements to Mark, or
I agree with you that some FUSSPs are not salvagable, but I believe that DomainKeys can succeed at stopping forgeries.
-russ
Google also tried using Bonded Spammer for a while (Score:5, Insightful)
If you sign up with one of these "trusted sender" schemes, be very careful that there's no way mail bounces, virus-generated mail, or mail via open proxies can become "trusted". Your ID will be on the mail, and you'll be blamed. Spammers are going to be targeting those sites, since they provide a bypass around some spam filters.
Patents and hypocrisy (Score:3, Informative)
If Microsoft had done this the sky would be falling - what's the difference here?
Re:Patents and hypocrisy (Score:4, Insightful)
Header Length? (Score:5, Insightful)
What's wrong with PGP? (Score:3, Informative)
PGP provides sender authentication (not just server authentication like SPF, CID and SID, or domain authentication like DK), by signing the mail with the sender's private key. The receiver can verify the sender's identity, because the signature can be decryted only with the sender's public key. Additionally, PGP can be used to encrypt the message. The functionality provided by these hot and hyped techniques doesn't even come close to what PGP can do.
So what's wrong with PGP? One argument I can come up with is that it puts a burden on the user, who has to generate keys, and make sure he can always access the keys when sending mail, but nobody else can. However, nothing in PGP demands that the user do all this work. A webmail system could generate a key for the user when he signs up, and the same applies to ISPs. Voila, PGP without any effort from the user.
Another problem could be scalability of the key database. PGP obviously needs more keys that the other systems. However, the amount of keys is in the same order as the number of mail accounts. Surely the mail system could store a few extra bytes per account, and answer the occasional request for public keys?
Can anyone provide more insight here?
Re:What's wrong with PGP? (Score:4, Interesting)
I think your scalability point is going to prove important. I think it would be computationally rather expensive for the moment. My pubring has around 900 keys and the database is 12 MB. But then, it could become feasible in the future, as processing capacity does increase fast.
However, the real thing here is that PGP does not help you verify identity directly. It helps you verify that a message was sent by "Foo Bar ", and that it has not been altered while in transmission. Still, there is additional effort involved in knowing who "Foo Bar " is. Sure, you may know someone called "Foo Bar", but you don't know that it isn't some spammer who generated this keypair with your friend Foo Bar's credentials to get through your filters. Unless you have signed this key.
I don't think you will ever be able to sign all the keys of everyone who might legitimately send you e-mail, but you can build a web-of-trust based on PGP's concept of ownertrust, and I have put some effort into it myself, so I now trust roughly 1500 keys.
Doing this is a largish undertaking, however, and I think that is the main reason why I really can't envision PGP being useful for combatting spam in near future.
Re:Wait a minute... (Score:2, Funny)
Re:Wait a minute... (Score:5, Insightful)
-
Don't get me wrong, I'm not one of them Google bashers (I don't believe the Google Desktop is spywer, for example), but in this case I would like to have an opt-out option!
Since Gmail's a free service, I believe your opt-out mechanism is to use something else. Given this is largely an anti-spam technique (to prove an E-mail is legitimately from the domain it says it is) I can't see Google being willing to provide an opt-out on this, it would undermine the whole effort.Re:Wait a minute... (Score:3, Funny)
Re:Wait a minute... (Score:2)
-russ
Re:Wait a minute... (Score:2)
Re:Spammers on GMail (Score:5, Informative)
-
So will this prevent spammers from sending spams via a Gmail account?
I doubt that's really the concern, most spammers don't use mainstream ISPs/E-mail providers as it is, they just fake return addresses from domains of known ISPS/E-mail providers. This would help E-mail servers on the receiving end (who've implemented the DomainKeys stuff too) to know for sure if the return address is real or not. So they could just toss out all @gmail.com addresses that aren't authentic, most of them would be spam anyway. It also simplifies Google's spam investigations, if a spam E-mail supposedly from gmail.com doesn't have the DomanKeys validation no further time needs to be spent on it, just send it back with a form "This didn't originate from our domain" message and go on to the next one.Of course that just means spammers will start using different domain names as return addresses.
Re:Spammers on GMail (Score:4, Insightful)
Yes, true, that is why DomainKeys is an authentication system. To the extent that it helps stop spam, it will be through forcing spammers to use their own names.
-russ
Re:Spammers on GMail (Score:2)
As long as not ALL of them implement this, spamers will always have domain names they can use. And if this goes at the same speed of ipv6...
The bounce traffic wil end up with these domains instead of the protected ones, wich I guess is good for domain owners, but it wil NOT reduce the volume of spam, or force spammers to identify themselves in any way.
For domain owners it might be a good thing, but for the average user, it has no advantages.
Re:Spammers on GMail (Score:3, Insightful)
Users can choose not to accept mail that isn't signed with a DomainKeys signature. If a user is only accepting signed mail, then his spam filter can make a decision to accept mail or not accept it, based on the reputation of the sending domain: white lists, black lists, refusal to accept mail from a domain that hasn't yet established a track record.
Re:Spammers on GMail (Score:4, Insightful)
I doubt that's really the concern, most spammers don't use mainstream ISPs/E-mail providers as it is, they just fake return addresses from domains of known ISPS/E-mail providers"
I would think the really important thing about this is that Google is respected in the internet industry and that others will certainly follow suit. If enough big players make the effort to ensure email from their domain names is authenticated, email clients could eventually offer the option to only accept emails from proven senders.
Re:User's ISP (Score:3, Interesting)
If the ISP requires authentication, then the person with the infected machine will be easy to find after a spam complaint and shut down for a few days till they clean up their machine.
I just grabbed the statistics for one A/V vendor's top virus alert today (http://www.trendmicro.com/vinfo/virusencyclo/defa ult5.asp?VName=PE_FUNLOVE.4099&VSect=S)
Roughly 10 million infected.
Imagine that having trojan capabilities. If it took one minute to shut off a trojaned, infected computer, that would re
Re:Spammers on GMail (Score:5, Interesting)
Why not? If Google can grow to be numero uno in free webmail providers, that in itself will be a strong convincing factor.
The thing I like about Google - they do good things which forces other companies to follow them. Take search, for instance. Other companies had such horribly cramped search interfaces and ads, until Google came up with a clean and mean interface.
Now everyone - Yahoo!, Altavista, MSN Search - follow's Google's example.
I'm sure that if Gmail was to pick up momentum, the sheer number of users and need for interoperability would kinda force others to follow suit.
All these other providers had the means and the option, but did not do so. MS has so much funds and Hotmail in itself is responsible for a good chunk of spam - if MS had taken this stance, they could easily force other providers to adopt this technology and help decrease spam in the process.
But no.
_This_ is why I like Google. Way to go, guys.
Re:Spammers on GMail (Score:3, Insightful)
But you're missing my point.
Even I've come up with a solution to combat spam [highbrew.com].
That is not the point - the point is actual implementation. Google is at liberty to implement what serves their needs best.
But why does Microsoft not go ahead and implement it in their systems? The system was introduced in June-July, and the last time I checked, guess which of Microsoft's mail services have SPF implemented? Microsft? Hotmail? MSN? Xbox? No
Re:Spammers on GMail (Score:2)
if mail servers start getting bombarded with gmail spam, this is an awfully convenient way to separate spam from legitimate mail coming from gmail addresses.
Re:Spammers on GMail (Score:2)
If Google makes it easy to identify legitimate e-mails from them, they will not suffer the same fate.
Re:why (Score:5, Insightful)
-russ
Re:User-Owned Domains, ISP owned SMTP Servers (Score:2, Informative)
DomainKeys allows for multiple public keys to be published in DNS at the same time. This allows companies to use different key pairs for the various mail servers they run and also to easily revoke, replace, or expire keys at their convenience. Thus, the domain owner may revoke a public key and shift to signing with a new pair at an
Re:how to verify? no txt record for beta.gmail.com (Score:5, Informative)
$ host -t TXT beta._domainkey.gmail.com
beta._domainkey.gmail.