Yahoo's DomainKeys is an email authentication system that works by digitally signing outgoing emails, and allowing the recipient's system to check that signature. The process, done at the servers level and thus transparent for the user, makes it quite easy to check if an email really did come from the company or ISP it claims, and has not been tampered with while en route.

eBay and Paypal phishers, meet DomainKeys.

DomainKeys was already deployed on Yahoo! Mail's border, but so far it would only warn the user within its mailbox. Starting october, 11th, it will start actually rejecting emails purposively coming from eBay and Paypal and failing to present the proper signature. For this to happen, both Paypal and eBay's email servers had of course to be set-up for DomainKeys. This was first tested successfully with Yahoo! Mail users in Australia at the beginning of October.

The choice of eBay and Paypal is not random. Both services are highly targeted by fraudsters, who find them quite useful to launder money, sell stolen goods or steal from legitimate sellers. Hijacked eBay or Paypal accounts also sell easily on the black market, as they facilitate fraud. 

If proved successful at such big a scale, the move could very well boost DomainKeys acceptance within other areas. Google's GMail, which already implements the system, would for instance be a good candidate to join eBay and Paypal next. And Yahoo! would also score big if it could get the same agreement with major US banks, which are prime target for phishing runs.

A slow start within mainstream businesses 

While eBay, Paypal and major banks would benefit from deploying DomainKeys (as well as Yahoo Mail - or other webmail - users), the proposal might take a while to pickup in the mainstream businesses. Surely, DomainKeys is easy and quick to deploy, requiring only minor modifications to the SMTP and DNS servers (and a bit of extra computational power). But the standard is also prone to reject legitimate mailing lists (which modify email headers on the way), and is said to be difficult to handle email servers sending a mix of signed and un-signed emails.

SenderID, the other major email authentication proposal, should be less prone to those drawbacks. However, both systems are unlikely to merge in the near future. But nothing prevents to implement both, as SenderID (and its SPF model) is even easier to deploy than DomainKeys.

A word of caution 

A word of caution, however : two studies conducted in 2005 by MXLogic showed that out of all the emails bearing a correct SPF or Sender ID signature, more than 83% were actually spam. Overall, 13 to 16% of all spam messages bore such a signature. MXLogic explained this saying that either spammers deployed servers with email signature themselves, or zombified PCs behind a signing gateway would actually send signed-spam. While this is actually still good because it makes it easier to either know that a spam actually came from a known spammer domain or from a careless business soon-to-be blacklisted, it did shower a bit the enthusiasm around those solutions.

There is no such problem, though, with high-profile, highly targeted phishing victims like eBay, Paypal or major banks, for which authentication is very clear-cut. And in that, the recent move by Yahoo! is a great news for Yahoo! Mail users.