Domain Keys is another flavour of email sender authentication, along with SPF and Microsoft Sender I.D., designed to help ensure that email which claims to be from Sender X is in fact from Sender X. Developed last year by Yahoo, and deployed last month, its primary purpose in life is to help prevent the forging of the return address in email. (The same holds true for SPF and Sender I.D.; in all three cases they are anti-forgery schemes. Now that you know that, whenever you hear someone bemoan that SPF or Sender I.D. or Domain Keys doesn’t stop spam, you can look smugly down your nose at them and inform them that they never were about stopping spam — they are about stopping forgery).
However, surprise surprise, it turns out that phishers have started adopting Yahoo’s Domain Keys technology and using it in their phishy email.
Why this is a surprise to anyone is beyond Aunty. It is not only exactly what happens with any email technology designed to help ensure the delivery of email, but it is exactly what you would expect to happen.
The question is not whether scammers, spammers, and other nefarious Internet baddies adopt the technology. The question is whether they can adopt it successfully.
By way of example, the company Habeas (disclaimer: Aunty has in the past been involved with Habeas) knew full well that spammers would attempt to use the Habeas system for assured email delivery to force delivery of their own spam. In fact, they counted on it, and had planned accordingly. So, rather than finding that the adoption of the Habeas technology facilitated the delivery of their spam to the inbox, the spammers found that the adoption of the Habeas technology facilitated the delivery of a lawsuit to their doorstep.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
So the simple fact that phishers have started using Domain Keys really means nothing, in and of itself. The question is, are they using it successfully? Or is it working exactly as its supposed to, with the Domain Key-laden phishmail not actually being authenticated and linked to the server which actually sent it?
Remember, the owls are not what they seem.