What is DNS

DNS is the abbreviated for of Domain Name System. When you visit a website such as kfwebs.net your computer sends a request to translate the domain name, kfwebs.net, from a human readable form into a computer readable form, referred to as an IP-address. In the time of writing the IP address of kfwebs.net looks like 213.161.224.2.

What is PKI

PKI is short for Public Key Infrastructure. The concept is that, unlike in most daily life situation where you use the same key to both lock and unlock e.g. a door, you have two keys, one for locking and one for unlocking. Technically this is called asymmetrical key cryptography. The equivalent of an ordinary lock would be called symmetrical key cryptography.

The reason for this is amongst other things that you can safely transmit the locking key, referred to as a public key. While you still keep the unlocking key, the private key. So you make the public key available for everyone, but only you keep the private key yourself.

With an analogy to real life. Say you live in a busy street and are worried that someone might get into your house. Using PKI you can give a locking key to your neighbors in case you forget to lock the door one day while walking around from your house.

A free implementation basing itself on PKI is OpenPGP. You can use OpenPGP free by using GnuPG. You can read more about how to secure your communication at secure-my-email.com

PKI and DNS

By storing a PKI certificate in the DNS record it is possible to verify that an email is coming from the server it is coming from. This would require the message to be digitally signed, and the receiving email server would have to verify the signature using the public component of the PKI certificate.

Only the holder of the private component of the PKI cert would be able to digitally sign a message that can be verified by that public key component. And that enables the theory to be utilized in a number of schemes. Before we proceed we will go into a little more detail with regards to the different terms used in this article.

How can you fight SPAM using PKI

The primary concern of most existing standards is not to stop spam, but to stop forgery. That is if you receive an email that claims to be from alice@abc.com it really is from abc.com. As it is today anyone can claim to be from anyone, so if I want to send an email to someone claiming to be from abc.com although my real address is kfwebs.net I can do so.

This is why there is a need for authentication schemes such as OpenPGP in order to ensure that the sender is whom he or she claims (s)he is.

Implementing cryptographical services on the mailserver (referred to as the Mail Transfer Agent (MTA) from now on) will help in ensuring the authenticity of the sender-MTA by verifying the message signature on a receiving-MTA. This only ensures the domain authenticity, and not the authicity of the sender, you will still want to use a scheme such as OpenPGP for that.

Whitelists and blacklists

First after you can be sure that the email actually originate from the mailserver it claims it come from you can use whitelists and blacklists for email properly. A typical approach for spammers is to use the same sender address as receiver address. This way the email seems to both originate from and being sent to e.g. bob@bobsdomain.com, getting past any whitelist he might have for bobsdomain.com, even though the email itself could have been sent from anywhere.