Inaction Threatens E-mail Authentication
As Microsoft’s November deadline for e-mailers to authenticate messages sent through its servers draws nearer, pressure is mounting on firms to take action.
That month MSN and Hotmail will begin to flag as potential spam incoming messages for which its servers can’t verify the sender’s return address. Any unauthenticated e-mail, even customer service messages, may start ending up in receivers’ junk mail folders.
However, some industry leaders fear that too many companies that send e-mail — but not necessarily commercial e-mail — to consumers, will fail to see the benefits of authenticating their messages and put the industry fight against spam and phishing in jeopardy.
Spam and phishing (fraudulent e-mail that appears to come from a legitimate financial institution or service provider in order to get consumers to hand over their account numbers and passwords) are costing ISPs ever more money to fight. As a result, mailbox providers are pressuring e-mail senders to adopt various authentication solutions to combat the return-address forgery so common in online scams.
Why more than one standard? “Microsoft, Yahoo! and AOL all went into a room together to try and agree on one standard, and they came out with four,” said Matt Blumberg, chief executive of Return Path Inc., a New York company that, among other things, helps e-mailers achieve greater deliverability. “They just could not agree on anything, and they’re not going to. They agreed to disagree and the world’s going to have to comply with a bunch of different [standards]. The good news is none of them are that hard [to implement].”
Microsoft has taken a stick — as opposed to carrot — approach to get companies that send mail to its MSN and Hotmail users to adopt its authentication technology of choice: Sender ID Framework.
Sender ID, an IP-based solution, verifies that the IP address of incoming e-mail is from a server authorized to send e-mail on behalf of the company named in the e-mail’s return address. AOL is using an IP-based system similar to Microsoft’s.
Meanwhile, Yahoo!, EarthLink and Verizon, among others, are using a cryptographic solution that until recently was called Domain Keys, but as the result of a Yahoo! partnership with Cisco Systems announced in July, is now known as Domain Keys Identified Mail, or DKIM (pronounced dee-kim). It’s not clear when DKIM will begin to affect e-mail deliverability to those providers.
However, “ISPs increasingly are checking inbound Sender ID status and DKIM status, as well as authenticating their outbound messages,” said Trevor Hughes, executive director of the E-mail Service Provider Coalition. As a result, e-mail software and service providers are busy implementing both solutions. Experian subsidiary CheetahMail, for example, announced Aug. 29 that it is fully compliant with Domain Keys. CheetahMail claimed it’s compliant with both leading authentication schemes. Bigfoot Interactive claims it’s been Domain Keys-compliant for two months. For e-mail software and service firms, which can’t afford any deliverability glitches, e-mail authentication is a necessity.
But when it comes to companies that don’t send a lot of mail to consumers, the urgency around e-mail authentication isn’t immediately apparent, said Vipul Ved Prakash, co-founder and chief scientist for anti-spam and -phishing technology provider Cloudmark Inc., San Francisco.
“At this point nobody is going to refuse your mail if it’s not authenticated,” he said. “So you ask yourself, ‘If my e-mail isn’t going to get refused, why should I change my infrastructure and do this?’” During a recent check of 500,000 domains, Cloudmark found that just 1% had implemented DKIM. The two IP solutions are enjoying more widespread use, though. Six months ago, Cloudmark found that 60,000 of 500,000 domains surveyed had adopted one of them.
The IP solutions — Sender Policy Framework (SPF) and Sender ID Framework (SIDF) — are easier to set up than DKIM. Both require publishing SPF text records for all the domains used to send e-mail. Tools and instructions to do so are online at http://spf.pobox.com for creating SPF records and at http://www.microsoft.com/senderid for creating SIDF records.
Though consumer e-mailers have far more at stake in authentication than business-to-business e-mailers, that will change soon enough, according to Hughes. Business-to-business mailers, he said, “are as responsible for the e-mail ecosystem as everybody else, so it’s important for them to step up to the plate as well. I recognize they don’t have the deliverability carrot, nor the filtering stick to really drive them right now. But it’s coming, and they’ll see it in the months ahead.”
For example, he said, most companies use a Brightmail off-the-shelf filter to block spam. “When Brightmail puts authentication into their filter, all of a sudden everybody’s got to be authenticated,” Hughes said. And business-to-business mailers that don’t have authentication systems in place once off-the-shelf filters begin to employ them will find their e-mail flagged as unauthenticated, and possibly shunted off into their customers’ junk folders.
What to do? “Make sure that you’re at least registering the domain name with the appropriate IP addresses for your mass corporate marketing mail,” said Ben Isaacson, CheetahMail’s privacy and compliance leader. “Whether you use SPF or Sender ID, that’s the least you can do to be a responsible e-mailer today. If you’re using an [e-mail service provider] they do it for you. If you’re doing it in house, you’ve got to look to your own tech-support people.”
The tricky part is accounting for all the IP addresses from which e-mail is sent, said Isaacson. For instance, a company based in Ohio may have a call center in Omaha, NE that sends e-mail to customers on the firm’s behalf. “That e-mail also needs to be accounted for with your overall authentication initiative,” he added.
No one claims that e-mail authentication alone will end the spam and phishing problem. But e-mailbox providers plan to use authentication to keep running scorecards — accreditation and/or reputation systems — on e-mail senders so they can determine the likelihood that incoming mail is spam.
AOL introduced the first such system more than a year ago: the enhanced whitelisting program. On Aug. 29, Alpharetta, GA-based e-mail security vendor CipherTrust launched TrustedSource.org, “a free online resource that provides precise information about e-mail sender reputation by domain and IP address.” CipherTrust gathers this reputation information from the more than 4,000 IronMail Gateway e-mail security appliances it’s sold worldwide.
Isaacson believes IP-based e-mail authentication should be part of the domain-name registration process. “We need absolute critical mass for this to be successful. None of us were thinking this was going to happen overnight, but the momentum for registration is not picking up as fast as I would’ve thought. Part of the reason is that the business community doesn’t have this as part of their normal setup process.”
Authentication Resources
For more detailed information:
http://www.emailauthentication.org/resources/
http://antispam.yahoo.com/domainkeys
http://postmaster.aol.com
www.deliverability.com
For information and tools to publish SPF records:
