SPF and DomainKeys Plugin for Thunderbird

January 21, 2005
web

Joshua Tauberer's Sender Verification plugin for thunderbird now supports Yahoo! DomainKeys.

I have been using the plugin for a few days now, and it works pretty well. You might need to tell it some IPs of mail servers on your network, but the interface makes it easy to do this as needed. You probably also want to host your own lookup server (a perl script you can download from the site), there is only one default, and I'm sure it will start to slow down as more people use it.

If your not familiar with SPF or domainkeys, here's how they work...

SPF

SPF records are simply a DNS records that tell mail servers receiving your mail which IP addresses are allowed to send mail from your domain. So if I run on my unix command line:

dig TXT cfdev.com

I get the result:

"v=spf1 mx ptr ip4:12.153.139.48/28 ~all"

That's my SPF record for cfdev.com, it says that any MX record, anything that points to *.cfdev.com, or any IP within our subnet are the ONLY can send mail from cfdev.com. The ~all means that if the mail came from anywhere else your mail server is free to discard it, or do with it what it wants.

SPF allows for an easy way to prevent phishing scams from reaching your mail box. Since PayPal has setup SPF records (I think they just did this finally!) you can block mail that does not match their SPF policy.

There is a handy tool that will help you build SPF records for your domain at: spf.pobox.com

DomainKeys

Yahoo! authored the spec on DomainKeys, which uses public/private key encryption technology. You publish your RSA public key in a DNS record (called a selector record), and all messages you send are signed on your SMTP server with the private key. The signature is added in the DomainKeys-Signature header in your email.

When someone receives your email they can then verify your signature using the public key found in your DNS. If the signature verifies, you have validated both the sending domain, and that the message has not been altered in transit.

More info on DomainKeys

I have been pretty intimate with both of these specs, as my company is building an email server called XMS, and I have been working on filters for these protocols. It would have been handy to have this thunderbird plugin when I was writing the DomainKeys signature filter.


7 people found this page useful, what do you think?

Comments

Your SPF record should state: "v=spf1 mx ptr ip4:12.153.139.48/28 -all" "-all" means that no other servers are allowed to send mail from your domain and is an excellent setting for sites particularly concerned about forgery.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?