As slashdot reported yesterday, Gmail has begun signing all its outgoing mail using Yahoo!’s DomainKeys. The system works like a very complicated wax seal. Imagine that I told everyone that I’d never send a letter without melting my seal onto it, and imagine that it’s impossible to duplicate my seal and only I have access to it. If you got a letter from me bearing my seal, you’d know I that it was from me and no one had already opened it. If you got a letter that didn’t have a seal, you’d know it might not be genuine. Google is the first major mail provider to support the technology (including Yahoo!, even though they invented it), but hopefully their backing will get other services to jump onboard.
An interesting consequence of this is that lots of legitimate services are going to start getting themselves into trouble. Say you read a news story you think a friend might find interesting. You might click their little “email this” button, fill out your name and address, their name and address, and click “send.” Many sites will send the email with your address as the sender. The problem is that you didn’t really send this email, the news site’s server did, and it’s just pretending to be you*. This doesn’t seem like that big of a deal, but generally I don’t want any email going out from my account if I didn’t actually type the message.
Since Gmail is now signing all of its messages with a domain key, you can be certain that any unsigned mail from a Gmail address was not sent by that address’s owner. In the above example, the email sent from the news site wouldn’t be signed, as it didn’t go through your email provider. Gmail has already started putting in a warning message whenever an unsigned letter comes in, so if you get a news snippet it might register as suspect because they spoofed your address. This is a good thing, because hopefully it’ll put the pressure on legitimate sites to stop spoofing.
Most email has very little security built in. Spammers use that fact to send out millions of messages using fake email address. Virus writers use that fact to send out malicious code using your address. From what I can tell, DomainKeys is a good, open service that anyone can use for free. If enough email providers jump on board, it could virtually eliminate spam.
*Yahoo! does this correctly. It sends all its mail from “refertofriend@reply.yahoo.com” and puts your address in the “reply-to” field. Many websites get it wrong, including the comment notification systems in Movable Type and TypePad.