Protecting e-mail

Businesses adopt advanced security methods.

E-mail authentication is not an either-or proposition. As businesses and e-mail service providers struggle to protect their customers and brands, they're adopting any e-mail authentication method that can put the kibosh on spam and phishing - even if it is less than ideal.

Sender Policy Framework (SPF) and Sender ID, for example, are widely in use despite being ineffective at ending spam (they issue false positives on legitimately forwarded messages). Adoption of the newer DomainKeys Identified Mail (DKIM) is going forward at a steady pace. Here too, false positives are a concern when third-party mailers send e-mail on behalf of business domains. Also at issue is back splatter, meaning return-to-sender spam. However, IT executives aren't deterred by authentication's lack of standardization, despite the often-contentious back-and-forth over the issue.

Ironically, the winners in the standards skirmish might be the spammers: Almost all use published SPF records, according to an October 2005 Forrester Research report. MX Logic, a spam-filtering service provider determined, for instance, that 83% of the spam it trapped over a test period last August came from domains with published SPF records. And, of the 0.12% of domains publishing their Sender ID records last August, 85% of them were spam-sending domains.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

E-mail authentication is not an either-or proposition. As businesses and e-mail service providers struggle to protect their customers and brands, they're adopting any e-mail authentication method that can put the kibosh on spam and phishing - even if it is less than ideal.

Sender Policy Framework (SPF) and Sender ID, for example, are widely in use despite being ineffective at ending spam (they issue false positives on legitimately forwarded messages). Adoption of the newer DomainKeys Identified Mail (DKIM) is going forward at a steady pace. Here too, false positives are a concern when third-party mailers send e-mail on behalf of business domains. Also at issue is back splatter, meaning return-to-sender spam. However, IT executives aren't deterred by authentication's lack of standardization, despite the often-contentious back-and-forth over the issue.

Ironically, the winners in the standards skirmish might be the spammers: Almost all use published SPF records, according to an October 2005 Forrester Research report. MX Logic, a spam-filtering service provider determined, for instance, that 83% of the spam it trapped over a test period last August came from domains with published SPF records. And, of the 0.12% of domains publishing their Sender ID records last August, 85% of them were spam-sending domains.

"Authenticated spam is still spam," says Max Christoff, vice president of enterprise applications for a Fortune 50 financial services company in San Francisco that asked not to be named because of corporate policy. "Anyone under the Hotmail-authenticated domain can keep opening new Hotmail accounts, get neutral starting ratings, and send spam from those accounts until they get shut down."

Dave Wright, senior vice president of e-mail infrastructure at Bank of America, counters: "At the very least, authenticated e-mail can prove to mail gateways that this mail really does come from Bank of America.com." Wright uses DKIM-authenticated e-mail between Bank of America and its large business customers. "There's a lot to win in this scenario because ISPs can provide better service for their customers. And enterprises win because their customers are getting fewer phishes and spam," he says.

In addition, he says, e-mail authentication frameworks facilitate deeper forms of identity authentication by combining DNS data with reputation data from large service-provider networks to rate, blacklist and remove e-mail sender accounts based on spam complaints.

At least one vendor is poised to make money providing an accreditation service. Last October, Goodmail Systems, which accredits senders and certifies their e-mail with a cryptographically secure token, announced a deal with AOL and Yahoo (which together cover 50% of the public e-mail audience). The providers plan to deploy Goodmail's CertifiedEmail service at their gateways as soon as possible. E-mail sent with CertifiedEmail tokens will then bypass the gateways' spam filters, and the ISPs will redeem the tokens for payment from Goodmail when that e-mail is successfully delivered.