Authenticate! Don't Make Everyone Wonder If It's Really You!
According to an article published by the New York Times in March of 2009, 94 % of all email sent is spam!!! Barracuda Networks has estimated that in 2008, spam accounted for between 90 and 95 percent of the total email. They also expect it to increase slightly in 2009. Protecting subscribers from spam is an ongoing challenge that continually changes - it is a true "moving target".
Early attempts at controlling spam focused on filtering out bad email. Unfortunately, every improvement on the anti-spam side resulted in a new approach on the spammer side. Filtering out spam has never been more than partially successful. It results in both false negatives and false positives. So, some spam still gets delivered and some good email gets dropped!
Currently, a two-pronged effort is evolving: authentication and reputation. Authentication identifies the author of the email and reputation provides a means of assessing their trustworthiness.
In an earlier blog, we talked about how important sender reputation is, in getting your email to the Inbox. We discussed some of things that can hurt or help your sender reputation, such as the number of complaints or the number of times your email is opened and scrolled through.
For the next few blogs, we will focus on email authentication and on the different approaches to accomplishing it. Authenticating or signing an email can (almost) prove you are who you say you are. It can also improve your sender reputation.
The objective of email authentication is to help prevent spam from reaching the Inbox, while at the same time allowing desirable email to get there. It's analogous to a router's access control list: drop unwanted traffic, while allowing desirable traffic.
What Is Email Authentication?
In this and the next two or three blogs, the term authentication uses the definition put forth by the Messaging Anti-Abuse Working Group (MAAWG) in March 2008. The document was entitled, Trust in Email Begins with Authentication.
Authentication is a technology for determining any of the following:
- That an identifier is being employed by, and for, the organization (the identity) that it belongs to.
- That a specific IP Address is being used by the organization it is assigned to.
- That a domain name is being used by the organization that registered it.
- That address and domain name registrations derive from the global Internet administrative authority, ICANN.
Why Does Outside Authority Matter?
As an example, if you were to print a drivers license for whatever state you happened to be in ... and a police officer pulled you over for speeding, you would probably go to jail, when he saw your fake drivers license. If, however, the license were actually issued and printed by the DMV of the state, then you would likely just get a ticket ... or maybe just a warning.
The difference is the backing authority: It says you have the required driving skills, an address where you can be found ... it implies that you are likely trustworthy, where the self-issued drivers license does NOT!
This is what authentication, when combined with a good sender reputation, implies to the ISPs who must deliver bulk commercial email, while at the same time NOT deliver spam. This is a difficult road to walk ... one the spammers are constantly digging up!
Whenever there is a networking problem to solve, everyone benefits if a common solution can be found ... a standard, if you will, for everyone to follow. There are standards organizations that exist to develop, document and publish such standards. Once a standard is finally complete, things get much easier. Customers can select products from different manufacturers and, if the standard was followed, the products will all work together properly. This is a good thing!
Unfortunately, there have almost always been competing solutions ... competing standards being developed. It doesn't matter what aspect of networking or the Internet we are talking about, there are often multiple "standards" being developed by (typically) competing companies. Clearly, there is a market share advantage to developing a protocol that is later adopted as THE Internet Standard!
Often, when various competing proposals are presented to a standards board, the final standard adopted is a blend of hopefully the best parts of the different proposals.
Today, there are several protocols being used for email authentication.
Most abusive email messages carry fake sender addresses. There are three protocols that deal with sender address forgery:
- Sender Policy Framework (SPF) - Open Source
- Sender ID - From Microsoft
- Sender ID Framework - Combination of Sender ID & SPF
- DomainKeys - from Yahoo
- Internet Identified Mail (IIM) - from Cisco
- DomainKeys Identified Mail (DKIM) - Combination of DomainKeys & IIM