Yahoo pitching anti-spam initiative to industry

Yahoo has developed a system it says will go a long way toward curbing spam, but the technology’s success is dependent on its widespread industry adoption beyond the borders of Yahoo’s e-mail servers.

The Yahoo technology is called DomainKeys and targets the spammers’ practice of spoofing, or changing an e-mail message’s header information so it appears to have been sent by someone else. Spammers do this to increase the chances that the recipient will open the e-mail message.

Yahoo’s DomainKeys is designed to let receiving e-mail systems confirm that a message in fact originated from a user authorized to send e-mail for the domain stated in the header. DomainKeys uses public cryptography technology to accomplish this validation. The outgoing message is digitally “signed” with a private key while the receiving e-mail system uses a public key to validate the signature.

“This is a clever and secure implementation,” said Brad Garlinghouse, Yahoo’s vice president of communications products at Yahoo. “This system is the right answer for the industry.”

Policies can be implemented in mail servers at the receiving end to deal with messages that fail the validation test. Because the approach is based on the Internet’s DNS (domain name system), DomainKeys is said to provide domain-level credibility. That is, the control over generation and management of keys rests with the domain’s owner, letting them control who has authority to send e-mail using their domain.

Of course, a legitimate organization that doesn’t use DomainKeys will be unable to embed the private-key validation in its outgoing messages, leading these messages to fail the validation test at recipient systems that do use DomainKeys. “To be truly effective, DomainKeys needs widespread adoption,” Garlinghouse acknowledged.

This is a big challenge for DomainKeys’ success, said Jonathan Gaw, an IDC analyst. “They’ll have to convince a lot of people to cooperate with them,” he said. “It’s going to take a lot of effort on Yahoo’s part to get everybody on board.”

Achieving that type of consensus from people who run mail servers around the world will be difficult, especially at companies that may fail to see what value this has for them, he said. It’s clear that initiatives such as this one are important for big e-mail service providers such as Yahoo, Microsoft’s MSN and America Online, but they are much less so for other companies and organizations that aren’t in the e-mail provision business, he said. Initiatives such as this one have been proposed in the past and have had mixed results, he said.

Yet, Yahoo is going to give its best shot, Garlinghouse said. To promote DomainKeys’ wide adoption, Yahoo will license its source code royalty-free, he said. This open-source approach is also a message to partners and competitors in the industry that DomainKeys will not generate additional money for Yahoo nor give the company a technological advantage as the creator of the system, he said. “The proposal isn’t about creating value for someone in particular,” he said.

Yahoo plans to implement this in its e-mail systems at some point next year. The company has already approached anti-spam organizations and individual e-mail vendors to present DomainKeys, getting positive feedback, and plans to continue evangelizing, he said.