E-mail authentication. Then what?
March 22, 2005, 4:00 AM PT
By Dave Anderson

The world's e-mail network is no longer the friendly place it once was.

The booming trade in spam and the looming threat of e-mail fraud, in the form of spoofing and phishing, have seriously dented our confidence in e-mail. Despite a multimillion-dollar industry surrounding antispam software, and several attempts to banish the problem with regulation, spammers and fraudsters continue to stay one step ahead.

The problem is that SMTP, or Simple Mail Transfer Protocol, the protocol designed to move e-mails from server to server, is still a system based on trust. Anyone submitting a message can claim to be anyone else, with little or no accountability.


Enter e-mail authentication. During the past year, the industry has keenly watched the progress of various sender-authentication schemes designed to ensure that all senders--including businesses, Internet service providers and, most important, spammers--are held responsible for the messages they send. E-mail authentication tells us where mail comes from so we can decide whether we want to read it.

The industry has willingly thrown its weight behind the concept--companies that would normally consider themselves competitors have united behind specific standards and technologies. The Internet Engineering Task Force worked diligently, collaborating with companies on authentication technologies, and its efforts were critical to the evolution of e-mail authentication, even though it was unable to develop a single standard.

The government has also recognized the importance. The Federal Trade Commission and the National Institute of Standards and Technology hosted the Email Authentication Summit recently at which industry leaders met to discuss what progress had been made to date, as well as the future of authentication.

Despite this support, the question remains: How do we take the theory of e-mail authentication and put it into practice? What do the actual legitimate senders and receivers of e-mail need to do to ensure they're prepared and protected? It's now up to individual businesses to do their part, but what do they need to do?

Today there are two widely known technologies that have serious supporters. Sender ID Framework, or SIDF, is an IP-based solution that combines Microsoft's Caller ID for e-mail proposal and Meng Wong's Sender Policy Framework, or SPF. DomainKeys, a signature-based approach supported by Yahoo, and Identified Internet Mail, another signature approach by Cisco Systems, both require software to be implemented by the sender and receiver to verify the integrity of the message.

Signature approaches are considered to be longer-term solutions for robust e-mail systems, while SIDF is easier to deploy for simple implementations. A team of top e-mail industry players is working with both Cisco and Yahoo to develop a single signature specification. That implementation should be available to the IETF for standardization by the second half of 2005.

As recommended by 34 industry leaders in a recent letter to the FTC, e-mail authentication initiatives should be rolled out in two phases. This two-step strategy incorporates, first, IP-based approaches and then signature-based approaches. Organizations should adopt SIDF today and then, as signature-based solutions mature, deploy them as well. The two schemes complement each other in the long term, resulting in a robust solution to address the range of platforms, user environments and deployment requirements worldwide.


On a practical level, companies should develop plans as to how to incorporate authentication into their current infrastructure, and they should ask their e-mail vendors how and when they plan to take advantage of authentication. Both SIDF and signature approaches are already being adopted by some businesses. Early tests on the performance have been promising. Reports indicate that as much as 50 percent of sending domains are authenticating their outbound e-mail using SIDF and signatures.

These results alone should be enough to convince us that we're approaching the end of e-mail as we know it. The schemes are critical pieces of the technology that should be adopted by any site or company that depends on the reliable delivery of their outbound e-mail or the protection of their brand and domain name. They should also be used by other receivers that wish to be able to prove the identity of mail senders, as well as provide a safer and more reliable way to accept inbound messages beyond traditional mail content filtering.

Every receiving site will have to decide for itself which sender authentication approaches to take and what requirements to place on incoming mail in order to best suit its needs. But companies should also expect their customers, partners and suppliers to use a variety of schemes, or risk being unable to exchange messages with whole segments of their supply chain. The "industry" can only support e-mail authentication--it's now up to individual businesses to make it happen