] DomainKeys is a technology proposal that can bring black
] and white back to this decision process by giving email
] providers a mechanism for verifying both the domain of
] each email sender and the integrity of the messages sent
] (i.e,. that they were not altered during transit). And,
] once the domain can be verified, it can be compared to
] the domain used by the sender in the From: field of the
] message to detect forgeries. If it's a forgery, then it's
] spam or fraud, and it can be dropped without impact to
] the user. If it's not a forgery, then the domain is
] known, and a persistent reputation profile can be
] established for that sending domain that can be tied into
] anti-spam policy systems, shared between service
] providers, and even exposed to the user.

How DomainKeys Works

How it Works - Sending Servers
There are two steps to signing an email with DomainKeys:

Set up: The domain owner (typically the team running the email systems within a company or service provider) generates a public/private key pair to use for signing all outgoing messages (multiple key pairs are allowed). The public key is published in DNS, and the private key is made available to their DomainKey-enabled outbound email servers. This is step "A" in the diagram to the right.
Signing: When each email is sent by an authorized end-user within the domain, the DomainKey-enabled email system automatically uses the stored private key to generate a digital signature of the message. This signature is then pre-pended as a header to the email, and the email is sent on to the target recipient's mail server. This is step "B" in the diagram to the right.

How it Works - Receiving Servers
There are three steps to verifying a signed email:

Preparing: The DomainKeys-enabled receiving email system extracts the signature and claimed From: domain from the email headers and fetches the public key from DNS for the claimed From: domain. This is step "C" in the diagram to the right.
Verifying: The public key from DNS is then used by the receiving mail system to verify that the signature was generated by the matching private key. This proves that the email was truly sent by, and with the permission of, the claimed sending From: domain and that its headers and content weren't altered during transfer.
Delivering: The receiving email system applies local policies based on the results of the signature test. If the domain is verified and other anti-spam tests don't catch it, the email can be delivered to the user's inbox. If the signature fails to verify, or there isn't one, the email can be dropped, flagged, or quarantined. This is step "D" in the diagram on the right.
In general, Yahoo! expects that DomainKeys will be verified by the receiving email servers. However, end-user mail clients could also be modified to verify signatures and take action on the results.

Just found out about this from a Thunderbird update. If it works then this sounds like a very good way to help cut down on phishing specifically, and possibly to help cut back spam in general.