Merak Email Server : DomainKeys Technology

Abstract

Developers of Merak Email Server implemented recently (since 8.2.7 beta) a technology for secured, but easy-to-use, mail sender domain surveillance - the DomainKeys. DomainKeys technology, originally designed by Mark Delany of Yahoo!, has quickly become a bell-ringer among the mail-server programmers and developers.

Full text

PRAGUE 09/05/2005:

IceWarp Ltd. software company’s premier product Merak Email Server now adds a crucial and powerful security enhancement - the technology of DomainKeys.

DomainKeys technology is a proposed email authentication system for validating and proving authenticity of the domain of an email sender and also the message consistency and completeness.

DomainKeys performs functions analogous to Sender Policy Framework (SPF), because it stops falsification of email sender domains. But, DomainKey technology is more complex than SPF, because it can also ensure that the content of the email was not changed or altered in any way during the SMTP transit.

The major advantages of this technology are the following:

  • The receiver of the email can trust the email originator and the message contents if the DomainKey analysis completes
  • Increased effectiveness of domain black and white listing
  • More effective antispam control and automated action options can be taken on the results of the analysis of DomanKeys
  • The abusive domain owners can be traceable now
  • DomainKeys is entirely compatible with all SMTP and DNS based servers

The DomainKeys signing process is basically very easy. It works by applying a hash to the body of the outgoing mail message (for example using SHA1 algorithm) and encrypting the result with RSA private key. The original Mark Delany’s draft also includes additional encoding of these highly-encrypted data with Base64. The output string is afterwards inserted into the email message as the first message header named "DomainKey-Signature:”

On the receiving end of the communication process, the SMTP server receiving such a message uses the originating domain name, the string _domainkey, and a selector from the message header and fetch an DNS lookup for DNS's TXT record. The result of this DNS lookup also includes the originators domain RSA public key. The receiving SMTP server with DomainKeys can thus decipher the value of the header hash and calculate the hash value for the rest of the email message (body). If these two values match, then the mail sender is truly from the originating domain, and the content was not altered during the Internet transmission.

In addition to this outstanding transparency, Merak Instant AntiSpam greatly profits from the DomainKeys technology. Merak Instant AntiSpam is based on the "method scoring increment" and thus can takes advantage of DomainKeys easily. Basically there can only be three results with the incoming mail decrypting and hash value matching:

  • The values of both, the deciphered header and the recalculated message body hash matches. This is typical for genuine mail messages and thus no score is added to the total message score by MIAS.
  • The DomainKey signature is invalid or missing, but the originators domain has a DNS TXT record. This is suspicious and characteristic for forged email messages and there should be warning for this behavior. Merak Instant AntiSpam total message score is increased.
  • The is no DNS record for the domain and no "DomainKey-Signature:" in the message header, then the status is unknown and the action taken varies on settings within MIAS

There are also some potential disadvantages of using DomainKeys. The dominant issues include following:

  • The DNS is not currently secure, but it is expected that the security problems will be solved by secured DNS, draft called DNSSEC.
  • DomainKeys creates additional DNS load; so if you are a DNS server operator, be prepared for increase in queries
  • Unauthorized access to your private-key which results in unauthorized access to your identity
  • Increased CPU consumption due to intensive computation of verification hash

Anyway, the disadvantages are based on technical evolution and so there is no need to wait with the DomainKeys deployment. Upgrade your mail server to latest Merak, because with Merak Email Server, you can bet that you will use the software from the technology leader at any time.

About IceWarp

IceWarp, Ltd. was started in 1999 with the development of Merak version 1. Merak’s exceptional product stability, performance, reliability and value quickly got the attention of business and ISP customers. This has produced strong sales and double digit sales growth year after year. Durig this time, IceWarp has maintained a technology leadership position by continuing to advance Merak through many industry-firsts, including:

  • First mail server supporting SSL
  • First mail server with Web mail
  • First integrated multi-threaded antivirus
  • First integrated anti-spam
  • First GroupWare with API (ODBC based)
  • And now, the first server with integrated FTP and Web server capabilities

Contact address

IceWarp Ltd. is located at City House, 6 Karaiskakis street, CY-3040 Limassol, Cyprus

info@icewarp.com