FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Knowledgebase: Email
DomainKeys - What Is It and How Do I Enable It
Posted on 13 May 2007 10:11 PM

  DomainKeys is one of several email sender authentication systems. It works by adding a secure digital signature to an email message in the form of a header. The signature can then be used to verify the authenticity of the sending domain (as only the sender could've generated the signature) and the integrity of the message (since the entire message and most of the headers are part of the signature, the signature can be used to verify that the contents have not been tampered with).

Some ISPs are currently using DomainKeys to make decisions on how they process email. If an email is signed, it may be given preferential treatment when sent to these networks. Further, if you have DomainKeys set to say that all email from your domain will be signed, unsigned email arriving at these networks from your domain may be rejected. (More information about the particular settings you can choose is provided below.)

Note that DomainKeys does not directly prevent abusive behavior such as seen with the "spoofing" emails and spam. However, it does allow abuse to be detected more easily, and it provides the possibility of future opportunities for legitimate email providers to work collaboratively to try to more easily identify and combat spam.

For more information on DomainKeys, how it works, and its anticipated long-term benefits, see:

There are three possible modes in which DomainKeys may operate and you will see these selections in your CNC Email Manager (note: DomainKeys is enabled by default as Sign some on all new packages):

Sign none
If a domain chooses this, then no DomainKeys information will be published in DNS and receiving networks will not expect any messages from that domain to be signed.

Sign some
With this setting, DomainKeys information is published in DNS for the domain with a "testing" flag, indicating that some but not all mail from this sending domain may be signed. (This is the default setting for all new packages, and the recommended setting for FutureQuest clients at this time. See special note.*)

Sign all
For this option, DomainKeys information is published in DNS for the domain with no "testing" flag, indicating that only signed email from this domain is considered to be authentic.

Information on domains that have DomainKeys enabled is distributed through the DNS system. As it's done on a domain by domain basis, a separate selection can be made for your main domain versus the selection you make for an IR domain.

Note: When you make a DomainKeys selection in your CNC Email Manager, it can take some time for the change to take effect. After making a change, it is advised to wait a few minutes before sending if possible.

If "Sign some" or "Sign all" is chosen, FutureQuest's mail system will sign a message that is relayed through us as long as the From: header domain (me@example.com) matches that of the domain of the SMTP server (mail.example.com) and either one of the below is true:

1. the SMTP session is authenticated (either with SMTP AUTH or POP-before-SMTP)
(For example, this is the case when you send an email from software such as Outlook, Outlook Express, Thunderbird, etc on your computer using your FutureQuest account settings.)


2. the email is generated locally, such as messages that are generated by a PHP or cgi script on your web site, via QuestMail, or mailing list messages sent via the CNC. (*See special note.)

On messages signed by DomainKeys, you will see a "DomainKey-Signature:" header in the email. See the following guide for references on accessing the header of an email:
How do I determine the source of an email?

* Autoresponse messages sent from an autoresponder configured in the CNC Email Manager are not currently able to be signed. We are working on this in order to allow those emails to be signed by DomainKeys. If you have FutureQuest autoresponders enabled and/or you do not send all of your domain's email through the FutureQuest servers, we do suggest using the "Sign some" not the "Sign all" option.