Domain Keys Trial

1st post.....

As if all this is gonna help.

I have a "general" 1024bit private key by Tawte with which I can send encrypted and signed emails. Would it be a different way of signing your email for SMTP server or I could use my current key?
--
-- Who drank has died, who drinks will die; is he immortal who is sober? --
         -- I started out with nothing, I still have most of it --

Authenticating the message content and authenticating the origin of a message are two separate tasks.

Your Thawte key covers only the content, and is in fact a stronger indicator of authorship than the Domain Keys signature. Your Thawte key signs only the message body.

Domain Keys on the other hand is an attempt at automating digital signatures. It signs (some of) the headers of a message, and that's all. Thus, instead of individuals taking the responsibility of obtaining/maintaining/using keys, it covers whole domains and only authenticates headers. Presumably every domain that uses DK in turn requires its participants to authenticate (username/password) to the SMTP server, either explicitly with SMTP auth or implicitly (e.g., Web mail username/password). The advantage of DK is that MUAs can display the origin information with some high degree of certainty. Since virtually all MUAs display a list of some subset of the headers instead of the whole messages, DK has a lot of utility.

Either way, all this does is ensure there is no authorship/origin spoofing. Just because you have provided a valid digital signature of your message, or have provided a Domain Keys signature in the headers of your message, does not imply I want to receive your email. Just because optinrealbig.com provides a valid DK signature header does not mean I want to receive Alan Ralsky's crap.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules. Blog is here
Jeopardy! replies REALLY suck!

So, does one need a special soft or patches for mail clients to support new signed headers before sending the mail?

Also, does the SMTP [receiving server] strip the header sig or lets it ride to the recipient?
--
-- Who drank has died, who drinks will die; is he immortal who is sober? --
         -- I started out with nothing, I still have most of it --

No, one needs special soft or patches to mail clients (mail user agents, or MUAs) after sending the mail. Specifically, the MUA needs to be able to recognize that the DK header is there, and how to calculate the sig. (so it can make the same calc. and compare it against the supplied dig. sig.). Then the MUA can display something that indicates the DK sig. was validated.

"the SMTP" (the Simple Mail Transport Protocol) doesn't strip diddly squat.

The whole idea of DK is that MTAs (mail transport agents) do the signing and not individuals. The originating domain's MTA provides the DK sig., and what the receiving MTA decides to do with it (if anything) is a matter of the receiving MTA's configured policy. It may strip the header out because its operators don't like DK (or Yahoo!, or the CEO of Yahoo!, or...). It may pass it through undisturbed. It may generate an additional header signifying it has checked the DK sig. and it has checked out OK, or that it didn't check out. It may discard or bounce any messages that fail DK validation. It may even be as Draconian as to not accept any email that doesn't bear a valid DK signature. The recipient's MUA would then have to decide what to do with the message, possibly sorting those messages with the "failed DK validation" header into a junk folder (or just deleting them outright)...or ones with the "passed" header into a "validated" folder.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules. Blog is here
Jeopardy! replies REALLY suck!

I did not know that. All I know is there are a few messages in the gmail spam folder every week and they're all junk; I don't even have to think about it. On the other hand, I'm not about to give up procmail/spamassassin on my company mail servers.
--
"No matter how I struggle and strive, I'll never get out of here alive". Hank Williams

I haven't looked into how these two competeing methods work but they sound just like something that I was working ona long time ago but never submited or anything.

Basically it clasifies mail into categories and then verfies the information.

Business/ISP: A source that will send many transactions at one time or over a peroid of time. They will build and establish and connection and thier authentication window will stay open for sometime

Single/Personal mail: This source will send a smaller ammout of mail, ususally from a user to a group or user to user. Every new attempt will require authentication, each mail will require authentication.

Authentication: is simple check to see if the domain the mail says its comming from resolves to the IP the mail is comming from. This will work for mail setups on dynamic DNS services because the name should resove to the dns. Programs like Foxmail and its express mail setting will fail unless you set your program to send it via you ISPs given complete connection domain (IE: connection-ip-city.junk.ISP)
Second level could check to see is the sending account actually exists.
Servers can even setup an registration where personal users can singup and have a domain name (even dynamic names) tied to a specific account info wich will be in the header, if the domain and account and key match the mail is considered authenticaed.

Spam fithing: All this system is ment to do is positivly identify the sender of mail, Overhead is large but can be reduced for ISP to ISP transactions that will only need to be authenticated once in a large time as long as their record is good, same thing can go for registered personal senders. Once the sender can be verfied it can be a simple task to revoke or allow mail from certin parties through your server

But I never even got around to writing that much, Oh welll I hope it work. So I can get less spam and hopefully pimp smack these spammers.