E-mail authentication – one way or another

IT executives say they aren’t deterred by a lack of standardization among developers of e-mail authentication software.

E-mail authentication is not an either/or proposition. As ISPs, e-mail service providers and businesses struggle to protect their brands and customers, they’re adopting any e-mail authentication method that can put the kibosh on spam and phishing, even if it is less than ideal. IT executives aren’t deterred by a lack of standardization, despite the often-contentious back-and-forth among developers over the issue.

Sender Policy Framework (SPF) and Sender ID are widely in use despite being ineffective at ending spam (they issue false positives on legitimately forwarded messages). Adoption of the newer DomainKeys Identified Mail (DKIM) is going forward at a steady pace. False positives are a concern here, too, when third-party mailers send e-mail on behalf of business domains. Also at issue is back splatter, meaning return-to-sender spam.

Unfortunately, spammers are still winning the battle – and even rely on e-mail authentication in the process. Almost all spammers use published SPF records, according to a Forrester Research report issued in October. MX Logic, a spam-filtering service provider, determined that 83% of the spam it trapped over a test period in August came from domains with published SPF records. Of the 0.12% of domains that published their Sender ID records that month, 85% of them were spam-sending domains.

“Authenticated spam is still spam,” says Max Christoff, vice president of enterprise applications for a Fortune 50 financial-services company in San Francisco that asked not to be named because of corporate policy. “Anyone under the authenticated Hotmail domain can keep opening new Hotmail accounts, get neutral starting ratings and send spam from those accounts until they get shut down.” The same goes for DKIM, he adds. All spammers have to do is open new domains and attach their own cryptographic DomainKeys to them, and they can correctly and legitimately send e-mail.

But, counters Dave Wright, senior vice president of e-mail infrastructure at Bank of America, “at the very least, authenticated e-mail can prove to mail gateways that this mail really does come from BankofAmerica.com.” Wright uses DKIM-authenticated e-mail between Bank of America and its large business customers. “There’s a lot to win in this scenario, because ISPs can provide better service for their customers. And enterprises win, because their customers are getting fewer phishes and spam,” he says.

In addition, he says, e-mail authentication frameworks facilitate deeper forms of identity checking by combining DNS information with reputational data from large service-provider networks. This is used to rate, blacklist and remove e-mail sender accounts based on spam complaints.

Toward that end, Goodmail Systems, which accredits senders and certifies their e-mail with a cryptographically secure token, announced in October that AOL and Yahoo plan to deploy its CertifiedEmail service at their gateways. Mail sent with CertifiedEmail tokens would bypass the gateways’ spam filters, and the ISPs would redeem the tokens for payment from Goodmail when the e-mail is successfully delivered.

Some IT managers say they worry that unscrupulous ISPs could abuse such a model. But Goodmail insists it has stacked the system with checks and balances to detect and protect against conceivable forms of fraud.

Despite their potential problems, these emerging layers of e-mail authentication should raise the bar on spammers and fraudsters, says Eric Allman, Sendmail CTO and author of the open source mail-transfer agent responsible for most e-mail routing today. He adds, “At least they give e-mail senders and service providers more tools in their toolbox.”

Radcliff (www.debradcliff.com) is a freelance writer specializing in online safety and network security.