Monday, 08 December, 2003
Yahoo's email authentication plans
On my morning scan of Techdirt I picked up this story about Yahoo working on an email authentication plan that would let senders prove they are who they say they are. This only two and a half years after I suggested it here (May 15, 2001).
The beauty of Yahoo's plan is that it will continue to work with existing message traffic, allowing even unauthenticated email to pass. That might seem folly at first glance. The article is short on detail, but I suspect that Yahoo will have a way to flag a message as authenticated or not, thereby giving email clients a method of filtering unauthenticated messages. Yahoo will make the source of their "Domain Keys" software available to open-source email software and systems, which means that a large percentage of clients will have the ability to create and filter these messages. I wonder if they'll also make it available to developers of proprietary systems. I certainly hope so. Otherwise we'll end up with competing standards that will make the problem even worse.
This is exactly what we've needed: a major player in the email space to take the lead and implement something. If it works out well for Yahoo, then the other major email providers will have ample incentive to follow suit. Some will argue that reverse DNS lookup is already available, and since very few servers use it today there's no reason to expect that they'll use this new system that is essentially the same thing: a DNS "private key" lookup. The article doesn't provide any detail, but I would suspect that Yahoo's people looked into SMTP authentication and found it lacking. The system the article describes sounds stronger than what's already available. I sure hope it works out.