還是給妳壹個官方的解說吧。就當是為混2分
Yahoo!雅虎 Anti-Spam Resource Center反垃圾郵件資源中心
Home FAQs Tools Tips Fun Facts Spam and the Law DomainKeys家居常見工具小費訓事實和法律domainkeys郵件
DomainKeys: Proving and Protecting Email Sender Identitydomainkeys:電子郵件寄件人身份證明和保護
Email spoofing - the forging of another person's or company's email address to get users to trust and open a message - is one of the biggest challenges facing both the Internet community and anti-spam technologists today.電子郵件欺騙-偽造他人或公司的電子郵件信箱得到了用戶的信任與公開的信息,是雙方面臨的最大挑戰之壹,網上社區反垃圾郵件技師. Without sender authentication, verification, and traceability, email providers can never know for certain if a message is legitimate or forged and will therefore have to continually make educated guesses on behalf of their users on what to deliver, what to block, and what to quarantine, in the pursuit of the best possible user experience.無寄件人認證、審核、追蹤、電子郵件提供商如果能永遠不知道某些訊息是合法或偽造,因而必須不斷的猜測,代其向用戶提供什麽,什麽座什麽檢疫,在追求最佳的用戶經驗.
DomainKeys is a technology proposal that can bring black and white back to this decision process by giving email providers a mechanism for verifying both the domain of each email sender and the integrity of the messages sent (i.e,. that they were not altered during transit).domainkeys是技術方案,可以使黑白回到這壹決定的過程給予核查機制電子郵件提供商都屬於每個電子郵件發送者發出的信息和誠信(醋酸.他們沒有改變過境期間). And, once the domain can be verified, it can be compared to the domain used by the sender in the From: f ield of the message to detect forgeries.而壹旦域可以驗證,就好比是用域的由寄件人:六油田的發現是偽造的訊息. If it's a forgery, then it's spam or fraud, and it can be dropped without impact to the user.如果是偽造的,那就郵件或欺詐行為,而且可以減少對用戶沒有影響. If it's not a forgery, then the domain is known, and a persistent reputation profile can be established for that sending domain that can be tied into anti-spam policy systems, shared between service providers, and even exposed to the user.如果不是偽造的,那麽,已知域,概況聲譽與執著,可設立派出域可以捆紮成反垃圾郵件政策體系服務提供商之間***享,甚至暴露用戶.
For well-known companies that commonly send transactional email to consumers, such as banks, utilities, and ecommerce services, the benefits of verification are more profound, as it can help them protect their users from "phishing attacks" - the fraudulent solicitation for account information, such as credit card numbers and passwords, by impersonating the domain and email content of a company to which users have entrusted the storage of these data.對於知名公司***同向消費者發出電子郵件交易,如銀行、公用事業、商貿服務、好處核查更深刻,因為它可以幫助他們保護其用戶從"釣魚攻擊"的欺騙性勸帳戶信息如信用卡號碼和密碼,冒充域和電子郵件的內容,用戶紛紛向公司委托這些資料儲存. For these companies, protecting their users from fraud emails translates directly into user protection, user satisfaction, reduced customer care costs, and brand protection.對於這些企業,保護其用戶直接翻譯成詐騙電子郵件用戶保護,用戶滿意,降低客戶服務成本、品牌保護.
For consumers, such as Yahoo!對於消費者來說,如雅虎 Mail users or a grandparent accessing email through a small mid-western ISP, industry support for sender authentication technologies will mean that they can start trusting email again, and it can resume its role as one of the most powerful communication tools of our times.郵箱用戶通過電子郵件或外祖父母存取小中西部商、工業支援寄件人認證技術將意味著他們可以信任的電子郵件後再次啟動,它可以恢復其作為世界上最強大的通信工具的時代.
Standardization and License Terms標準化與許可條件
DKIM is the result of the ongoing commitment from numerous industry players to develop an open-standard e-mail authentication specification, and industry collaboration has played a critical role in the process.dkim是由於許多業者正在承擔發展開放標準電子郵件認證規格和產業合作起到了關鍵的作用. Industry leaders who played a valuable role in furthering the development of the DKIM specification include, Alt-N Technologies, AOL, Brandenburg Internetworking, Cisco, EarthLink, IBM, Microsoft, PGP Corporation, Sendmail, StrongMail Systems, Tumbleweed, VeriSign and Yahoo!.業領導者的角色,發揮了寶貴的發展更進壹步的dkim規格包括,競標氮技術,美國在線、勃蘭登堡互聯思科,earthlink,IBM公司、微軟公司、中Pgp總公司Sendmail的,strongmail系統tumbleweed,但Verisign和雅虎. The participation of these companies has been instrumental in creating this single, signature-based e-mail authentication proposal.參與這些公司壹直在制造這種單壹簽名的電子郵件認證提案. The authoring companies will continue to work with these organizations and the IETF on the standardization of the DomainKeys Identified Mail (DKIM) specification so that industry-wide agreement on the best method for validating the identification of email senders can be reached.該公司將繼續致力於創作與這些團體和有關IETF工作的規範化domainkeys確定郵件(dkim)規格,使整個行業的協議的最佳方法驗證電子郵件發送者身份才能達成. DomainKeys Identified Mail has begun advancing through the IETF Internet standards process to be ultimately approved as an IETF Internet Standard.domainkeys確定郵件已經開始通過因特網因特網標準過程進最終被批準為國際標準IETF工作.
For historical reference, Yahoo!為歷史借鑒,雅虎! has submitted the DomainKeys framework as an Internet-Draft entitled " draft-delany-domainkeys-base-03.txt .已將domainkeys框架作為因特網決議題為"導流delany-domainkeys基地-03.txt. Yahoo!'s DomainKeys Intellectual Property may be licensed under either of the following terms:雅虎國domainkeys知識產權牌可以以下其中壹條規定:
Yahoo!雅虎 DomainKeys Patent License Agreementdomainkeys專利許可協議
GNU General Public License version 2.0 (and no other version).GNU通用公***許可證2.0版(無其它版).
Yahoo!'s DomainKeys Intellectual Property includes the following patent(s) and patent application(s).雅虎國domainkeys知識產權包括以下專利申請專利(S)和(S)號.
U.S. Patent Number 6,986,049, issued January 10, 2006美國專利數量6,986,049發布2006年1月10日
U.S. Patent Application Serial Number 10/805,181, filed March 19, 2004美國專利申請序號八百○五分之壹十○,181,立案2004年3月19日
PCT Application PCT/US2004/007883, filed March 15, 2004厘應用pct/us2004/007883,立案2004年3月15日
PCT Application PCT/US2005/008656, filed March 15, 2005厘應用pct/us2005/008656,立案2005年3月15日
In accordance with RFC2026, Yahoo!按照rfc2026雅虎! has also submitted the above license statement to the IETF as an IPR Disclosure.上述許可,也已向IETF工作作為知識產權聲明披露. Have license feedback?有執照的反饋?
Reference Implementation實施範圍
In addition to the Internet-Draft, Yahoo!除了因特網草案,雅虎! has developed a reference implementation for DomainKeys that can be plugged into Message Transfer Agents (MTAs), such as qmail.制定了實施範圍,可為domainkeys誘惑訊息傳遞代理(多邊),例如qmail郵件. A version of this software has been released and is available at mercial and freeware versions).Sendmail的執行他們制定了domainkey熱門甲硫(包括商業、免費版本). In fact, Sendmail, Inc. has released an open source implementation of the Yahoo!事實上,Sendmail的華碩已公開發表的消息<雅虎 DomainKeys specification for testing on the Internet and is actively seeking participants and feedback for this Pilot Program.domainkeys規格測試於互聯網和反饋,並積極尋求參與這項試辦計畫.
How DomainKeys Works如何domainkeys工程
How it Works - Sending Servers它如何送服務器
There are two steps to signing an email with DomainKeys:有兩個步驟,簽署了與domainkeys電子郵件:
Set up: The domain owner (typically the team running the email systems within a company or service provider) generates a public/private key pair to use for signing all outgoing messages (multiple key pairs are allowed).成立:域所有者(通常隊辦起了公司的電子郵件系統或服務提供商)產生公***/私人鑰匙使用所有簽字離任訊息(多重關鍵雙雙獲準). The public key is published in DNS, and the private key is made available to their DomainKey-enabled outbound email servers.公鑰刊登的DNS,關鍵是提供給私人的domainkey驅動遊電子郵件伺服器. This is step "A" in the diagram to the right.這壹步的"A"在圖的權利.
Signing: When each email is sent by an authorized end-user within the domain, the DomainKey-enabled email system automatically uses the stored private key to generate a digital signature of the message.簽字:每發送電子郵件特準終端用戶的領域<domainkey驅動系統自動用電子郵件儲存私鑰產生數字簽名的信息. This signature is then pre-pended as a header to the email, and the email is sent on to the target recipient's mail server.這是當時簽字前彩超對電子郵件作為頭、而電子郵件發送給目標收件人的郵件伺服器. This is step "B" in the diagram to the right.這是壹步"乙"在圖的權利.
How it Works - Receiving Servers它如何接收服務器
There are three steps to verifying a signed email:有三個步驟,核實簽名電子郵件:
Preparing: The DomainKeys-enabled receiving email system extracts the signature and claimed From: domain from the email headers and fetches the public key from DNS for the claimed From: domain.準備:domainkeys-接收電子郵件系統,使提取簽名並聲稱來自:從電子郵件、綠頭域公鑰來自聲稱來自域名為:域. This is step "C" in the diagram to the right.這壹步的"C"的圖權.
Verifying: The public key from DNS is then used by the receiving mail system to verify that the signature was generated by the matching private key.驗證:公***密鑰則用來從域名系統的接收郵件核實簽字私鑰產生配對. This proves that the email was truly sent by, and with the permission of, the claimed sending From: domain and that its headers and content weren't altered during transfer.這證明,真正的電子郵件發送、許可,由派出稱:域,其頭和內容都沒有改變,在轉讓.
Delivering: The receiving email system applies local policies based on the results of the signature test.運送:適用土政策接收電子郵件系統基於簽名測試結果. If the domain is verified and other anti-spam tests don't catch it, the email can be delivered to the user's inbox.如果域驗證和其他反垃圾郵件測試也沒有漁獲,電子郵件可交付給用戶的inbox. If the signature fails to verify, or there isn't one, the email can be dropped, flagged, or quarantined.如果未能核實簽名,或有沒有壹個能降的電子郵件、國旗或查封. This is step "D" in the diagram on the right.這壹步的"D"在正確的圖.
In general, Yahoo!壹般來說,雅虎! expects that DomainKeys will be verified by the receiving email servers.預料將經domainkeys接收電子郵件伺服器. However, end-user mail clients could also be modified to verify signatures and take action on the results.但是,最終用戶的郵件客戶還可改裝核實簽字並采取行動的結果.
Frequently Asked Questions常見問題
How will this help stop spam?如何幫助阻止垃圾郵件?
How will this help stop fraud/phishing attacks?如何幫助制止欺詐/網絡釣魚攻擊?
Won't spammers just sign their messages with DomainKeys?剛剛簽署的電文不會與domainkeys濫發電郵?
What does DomainKeys verify?什麽domainkeys查證?
Why sign the entire message?所以整個標誌信息?
Does DomainKeys encrypt each message?是否每個domainkeys加密信息?
What public/private key technology is used for DomainKeys?什麽公/私鑰用於科技domainkeys?
Who issues the public/private key pairs required by DomainKeys?誰的問題公/私鑰雙雙要求domainkeys?
Does DomainKeys require signing of the public key by a Certificate Authority (CA)?domainkeys是否需要簽署的公鑰證書管理局(星期六)?
How are DomainKeys revoked?如何domainkeys撤銷?
Why not just use S/MIME?為什麽不能用收盤/默?
How does DomainKeys work with mailing lists?如何domainkeys與郵寄名單?
Who implements DomainKeys?實行domainkeys誰?
Which mail transfer agents (MTAs) support DomainKeys?其中郵件傳遞代理(多邊)支持domainkeys?
How do I deploy DomainKeys?我如何部署domainkeys?
I don't use my domain's SMTP server to send email.我不使用我的域的SMTP服務來電子郵件. How do I use DomainKeys?domainkeys我該如何使用?
How can I send you feedback?我如何送妳的反饋?
How will this help stop spam?如何幫助阻止垃圾郵件?
Several ways.幾種方式. First, it can allow receiving companies to drop or quarantine unsigned email that comes from domains that are known to always sign their emails with DomainKeys, thus impacting spam and phishing attacks.壹是它可以讓公司接收電子郵件簽名下降或檢疫來自已知的領域,總是與domainkeys簽名電子郵件、垃圾郵件、釣魚攻擊從而沖擊. Second, the ability to verify sender domain will allow email service providers to begin to build reputation databases that can be shared with the community and also applied to spam policy.二能力驗證電子郵件發送者域將使服務提供商開始建造名聲數據庫是可以***享的社會,也適用於垃圾郵件的政策. For example, one ISP could share their "spam vs. legit email ratio" for the domain www.example.com with other ISPs that may not yet have built up information about the credibility and "spamminess" of email coming from www.example.com.例如壹商可以分享他們的"濫發電郵的比率比legit"www.example.com域與其他供應商可能尚未建立起資料的可信度和"spamminess"的電子郵件來自www.example.com. Last, by eliminating forged From: addresses, we can bring server-level traceability back to email (not user-level - we believe that should be a policy of the provider and the choice of the user).最後,從消除偽造:地址我們能夠把服務器級別可追蹤回電子郵件(不用戶級,我們相信應該是壹個政策的提供者和用戶的選擇). Spammers don't want to be traced, so they will be forced to only spam companies that aren't using verification solutions.濫發電郵不想追查,所以他們將被迫只能利用郵件企業不核查辦法.
Back to Questions回到問題
How will this help stop fraud/phishing attacks?如何幫助制止欺詐/網絡釣魚攻擊?
Companies that are susceptible to phishing attacks can sign all of their outgoing emails with DomainKeys and then tell the world this policy so that email service providers can watch and drop any messages that claim to come from their domain that are unsigned.公司易受釣魚攻擊的跡象都能夠打出自己的電子郵件與domainkeys然後告訴全世界,使這壹政策能夠收看電子郵件服務提供商和落任何訊息,聲稱是來自域簽名. For example, if the company www.example.com signs all of its outgoing email with DomainKeys, Yahoo!舉例來說,如果公司www.example.com打出招牌,其所有的電子郵件同domainkeys雅虎! can add a filter to its SpamGuard system that drops any unsigned or improperly signed messages claiming to come from the domain www.example.com, thus protecting tens of millions of example.com's customers or prospective customers from these phishing attacks.它可以增加壹個過濾系統,spamguard滴簽名或擺放任何訊息簽名自稱來自域www.example.com,保護千百萬example.com的客戶或準客戶從這些網絡釣魚攻擊.
Back to Questions回到問題
Won't spammers just sign their messages with DomainKeys?剛剛簽署的電文不會與domainkeys濫發電郵?
Hopefully!但願! If they do, they'll make it easier for the Internet community to isolate and drop/quarantine their messages using the methods described above in "How will this help stop spam?"否則,人家較易互聯網社會孤立和落/檢疫信息的利用上述方法在"如何幫助阻止垃圾郵件"? Eliminating the uncertainty of "did this email really come from the domain example.com?" will facilitate a whole range of anti-spam solutions.消除不確定性"這真是電子郵件來自example.com域?"方便了壹系列反垃圾郵件解決方案.
Back to Questions回到問題
What does DomainKeys verify?什麽domainkeys查證?
DomainKeys examines the From: and Sender: headers' domain to protect the user and deliver the best possible user experience.domainkeys審核:與發貨:頭'域維護用戶和用戶提供最佳的體驗. Desktop mail clients like Microsoft Outlook show these headers in their user interfaces.微軟Outlook郵件客戶桌面顯示這些頭象的用戶界面. If the user establishes their trust based on the these domains, then so should any system built to verify whether that trust is warranted.如果用戶信任的基礎上,確立了這些領域系統建成後,應查證是否有值得信任.
Back to Questions回到問題
Why sign the entire message?所以整個標誌信息?
DomainKeys signs the entire message to allow the receiving server to also verify that the message wasn't tampered with or altered in transit.domainkeys跡象整個服務器接收到的訊息,讓訊息,也未核實篡改變造過境. By signing the headers and the body, DomainKeys makes it impossible to reuse parts of a message from a trusted source to fool users into believing the email is from that source.簽訂箱與身體domainkeys它無法再用部分賀詞信靠欺騙用戶們相信,電子郵件是從源頭.
Back to Questions回到問題
Does DomainKeys encrypt each message?是否每個domainkeys加密信息?
DomainKeys does not encrypt the actual message - it only pre-pends a "digital signature" as a header.domainkeys不加密的實際消息只是預未決的"數字簽名"為標題.
Back to Questions回到問題
What public/private key technology is used for DomainKeys?什麽公/私鑰用於科技domainkeys?
DomainKeys currently uses an RSA public/private key method.domainkeys目前使用的RSA公/私鑰方式. The key length is decided by the domain owner.關鍵是由長度域所有者.
Back to Questions回到問題
Who issues the public/private key pairs required by DomainKeys?誰的問題公/私鑰雙雙要求domainkeys?
The domain owner, or an agent or service provider acting on their behalf, should generate the key pairs that are used for their DomainKeys-enabled mail system.域所有者或代理人或服務提供商代表他們行事產生的關鍵,應該是用於對它們domainkeys-使郵件系統.
Back to Questions回到問題
Does DomainKeys require signing of the public key by a Certificate Authority (CA)?domainkeys是否需要簽署的公鑰證書管理局(星期六)?
DomainKeys does not require a CA.domainkeys不需要證. Much like a trusted Notary Public, Certificate Authorities are used in public/private key systems to sign, or "endorse," public keys so that the external users of public keys can know that the public keys they receive are truly owned by the people who sent them.猶如信賴公證,公證書使用部門/私鑰簽制度、或"贊同",使外部用戶公***密鑰公***密鑰公***密鑰可以知道他們是否真正擁有的人送. Since DomainKeys leverages DNS as the public key distribution system, and since only a domain owner can publish to their DNS, external users of DomainKeys know that the public key they pull is truly for that domain.自domainkeys杠桿作為公鑰分配域名系統由於只有壹個域可以擁有自己的DNS出版、外部用戶domainkeys知道公鑰是真正為他們牽到域. The CA is not needed to verify the owner of the public key - the presence in that domain's DNS is the verification.證不需要驗證公鑰主人-駐留在該領域的域名是核實. However, it is possible that Certificate Authorities may become a valuable addition to the DomainKeys solution to add an even greater level of security and trust.但是證機關也有可能會成為壹項寶貴的domainkeys除了增添更大程度地解決安全和信任.
Back to Questions回到問題
How are DomainKeys revoked?如何domainkeys撤銷?
DomainKeys allows for multiple public keys to be published in DNS at the same time.domainkeys允許多種公***鑰匙刊登的DNS在同壹時間. This allows companies to use different key pairs for the various mail servers they run and also to easily revoke, replace, or expire keys at their convenience.這使公司對使用不同的重點,對各郵件服務器,也能輕易地撤銷他們來說,代替,或在方便的鑰匙屆滿. Thus, the domain owner may revoke a public key and shift to signing with a new pair at any time.因此,車主可撤銷公鑰域,轉向以新簽署壹雙隨時.
Back to Questions回到問題
Why not just use S/MIME?為什麽不能用收盤/默?
S/MIME was developed for user-to-user message signing and encryption and by design should be independent of the sending and receiving servers.收盤/默研制用戶對用戶的信息加密和簽署了設計和應該獨立於發送和接收服務器. We believe that DomainKeys should be a natural server-to-server complement to S/MIME and not a replacement.我們相信應該是壹個天然domainkeys服務器對服務器補充收盤/默不更換. Additionally, since S/MIME is used by many security-conscious industries, we need to ensur