Toll Free: 1-888-883-9462
| Privacy Policy
| Site map
  Email Marketing Tips Newsletter: 

Thursday, June 4, 2009

Authenticate! Don't Make Everyone Wonder If It's Really You!

According to an article published by the New York Times in March of 2009, 94 % of all email sent is spam!!! Barracuda Networks has estimated that in 2008, spam accounted for between 90 and 95 percent of the total email. They also expect it to increase slightly in 2009. Protecting subscribers from spam is an ongoing challenge that continually changes - it is a true "moving target".

Early attempts at controlling spam focused on filtering out bad email. Unfortunately, every improvement on the anti-spam side resulted in a new approach on the spammer side. Filtering out spam has never been more than partially successful. It results in both false negatives and false positives. So, some spam still gets delivered and some good email gets dropped!

Currently, a two-pronged effort is evolving: authentication and reputation. Authentication identifies the author of the email and reputation provides a means of assessing their trustworthiness.

In an earlier blog, we talked about how important sender reputation is, in getting your email to the Inbox. We discussed some of things that can hurt or help your sender reputation, such as the number of complaints or the number of times your email is opened and scrolled through.

For the next few blogs, we will focus on email authentication and on the different approaches to accomplishing it. Authenticating or signing an email can (almost) prove you are who you say you are. It can also improve your sender reputation.

The objective of email authentication is to help prevent spam from reaching the Inbox, while at the same time allowing desirable email to get there. It's analogous to a router's access control list: drop unwanted traffic, while allowing desirable traffic.

What Is Email Authentication?
In this and the next two or three blogs, the term authentication uses the definition put forth by the Messaging Anti-Abuse Working Group (MAAWG) in March 2008. The document was entitled, Trust in Email Begins with Authentication.

Authentication is a technology for determining any of the following:
  • That an identifier is being employed by, and for, the organization (the identity) that it belongs to.
  • That a specific IP Address is being used by the organization it is assigned to.
  • That a domain name is being used by the organization that registered it.
  • That address and domain name registrations derive from the global Internet administrative authority, ICANN.
Authentication can prove who you are ... but, it can't say anything about what you are: Mainly ... are you trustworthy? This part takes an outside authority. In this case, sender reputation serves as the outside authority.

Why Does Outside Authority Matter?
As an example, if you were to print a drivers license for whatever state you happened to be in ... and a police officer pulled you over for speeding, you would probably go to jail, when he saw your fake drivers license. If, however, the license were actually issued and printed by the DMV of the state, then you would likely just get a ticket ... or maybe just a warning.

The difference is the backing authority: It says you have the required driving skills, an address where you can be found ... it implies that you are likely trustworthy, where the self-issued drivers license does NOT!

This is what authentication, when combined with a good sender reputation, implies to the ISPs who must deliver bulk commercial email, while at the same time NOT deliver spam. This is a difficult road to walk ... one the spammers are constantly digging up!

Establishing Standards
Whenever there is a networking problem to solve, everyone benefits if a common solution can be found ... a standard, if you will, for everyone to follow. There are standards organizations that exist to develop, document and publish such standards. Once a standard is finally complete, things get much easier. Customers can select products from different manufacturers and, if the standard was followed, the products will all work together properly. This is a good thing!

Unfortunately, there have almost always been competing solutions ... competing standards being developed. It doesn't matter what aspect of networking or the Internet we are talking about, there are often multiple "standards" being developed by (typically) competing companies. Clearly, there is a market share advantage to developing a protocol that is later adopted as THE Internet Standard!

Often, when various competing proposals are presented to a standards board, the final standard adopted is a blend of hopefully the best parts of the different proposals.

Today, there are several protocols being used for email authentication.

Most abusive email messages carry fake sender addresses. There are three protocols that deal with sender address forgery:
  • Sender Policy Framework (SPF) - Open Source
  • Sender ID - From Microsoft
  • Sender ID Framework - Combination of Sender ID & SPF
There are also three cryptographic solutions:
  • DomainKeys - from Yahoo
  • Internet Identified Mail (IIM) - from Cisco
  • DomainKeys Identified Mail (DKIM) - Combination of DomainKeys & IIM
Next time, we'll start talking about how these protocols work.

Labels: , , , ,


  • Thanks Barb. One again you've set me straight. I guess being a Certified Cisco Instructor means you would know that Cisco/IIM was part of DKIM

    By Blogger Peter Roebuck , At June 5, 2009 at 2:56 PM  

  • You've got the history a bit wrong. Microsoft introduced "Caller ID for Email," which was mostly scrapped when they hired SPF creator Meng Wong to create Sender ID, which is now called the "Sender ID Framework." For the most part, only Microsoft products -- most notably Hotmail -- check Sender ID validity on inbound mail.

    DKIM isn't just a combination of two companies' competing efforts; it has been a full-fledged IETF standardization effort. Still is. Check out for links to the latest documents.

    And finally, you refer to ICANN as "the global Internet administrative authority" -- which isn't quite right either. ICANN sets global policy for domain names. Domain registries then manage each top-level domain (.com, .uk, et cetera.) These registries have widely varying policies regarding accuracy of information.

    There's a lot more info about all of this stuff at

    By Blogger J.D. , At June 5, 2009 at 6:40 PM  

  • Thanx so much for your comments. :)

    I will admit to not fully researching the details of the different protocols yet. My plan was to do so as I begin looking at them in more detail. So, your information will be very helpful!

    I will also clarify the info about ICANN and mention a couple of the registries, mainly the ones for the US and Europe.

    My intent at this point was to just introduce the main concepts and some of the terminology.

    Again, I appreciate your feedback, Barb

    By Blogger Unknown , At June 6, 2009 at 4:13 PM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home