Home  › Email › Email Marketing

Authentication: A Good Start, Not a Final Answer

  |  June 7, 2004   |  Comments

E-mail authentication's future, and how it will affect legitimate e-mailers.

I've analyzed the opportunities with third-party email accreditation services. Today, a few thoughts on email authentication's future and how it will affect legitimate emailers.

Defining Authentication

I had a lively discussion with some colleagues about the differences between authentication, accreditation, and reputation. We concluded the three categories deserve different standings in the industry. Authentication is 100 percent verifiable; reputation is based on observed data and behaviors; and accreditation is third-party vouching for a sender, with or without a reputation attached to that credit.

Authentication should be considered separately from reputation and accreditation. The latter two services complement authentication, but they aren't required, nor can they be used in critical mass, to enable email delivery.

For the record, authentication will allow ISPs and corporate IT departments (receivers) to validate a sender as the rightful server operator and message sender. But receivers can still block any and all messages from their end users.

Authentication Plans in Plain Language

E-mail clients frequently ask about key points of the email authentication proposals: Sender Policy Framework (SPF), Caller ID for E-Mail, and DomainKeys. Below, the proposals' highlights.

SPF and Caller ID for E-Mail are similar proposals (so similar, they're being merged into one proposal). They attempt to answer the question: Is Server X (recognized by IP address) authorized to send email claiming to be from Domain Y? Both answer this with a DNS. A DNS entry lists all valid sources an email with a specific domain cam be delivered from.

In other words, domain administrators must create new DNS entries that list all outbound mailservers, list servers, and third parties that may legitimately deliver email using a particular domain name. A receiver can make a DNS request to look up this information and verify if the message is indeed from that domain.

The DomainKeys proposal complements the other two by focusing on a different question: Is the domain in the sender field really the source of this message and its contents? The proposal requires mailers to publish a public key so email messages can be signed in a manner similar to encryption programs. The email signature is published with a private key in the email header, the public key is stored in the DNS. When the recipient receives a signed message, he can verify the signature, that the message is from the specified domain, and the message was delivered in the form it was sent in.

This is just the top-level summary. The proposals' details are being worked out with standard-setting organizations, such as the Internet Engineering Task Force. The system proposals are currently license and royalty free, open for all senders and receivers to test and implement.

Authentication Isn't Bulletproof

The email industry's greatest threat isn't spam but phishing. According to the Anti-Phishing Working Group, 1,219 new, unique phishing attacks were reported in April, a 275 percent increase over March's 324 reported attacks. Phishing destroys user confidence in email communications and makes transactional and relationship email messaging increasingly difficult. Since most phishing email forges legitimate domain names, email authentication can help fix the problem.

However, there are few, if any, restrictions on registering a domain name and listing a sending IP address as legitimate, even for a short while. The best example is a recent phishing attack against AOL. The phisher actually registered "www.aolaccountupdate.com," which appears to come from AOL. Nothing stops fraudulent domain registrants from listing their sending IP addresses and signing their messages to get through receiver gateways.

When authentication is resolved, the industry must focus on ICANN and domain-name accountability, in addition to IP address allocation. When the entire system is accountable, we'll finally solve sender identification.

Authentication Won't Replace Accreditation or Reputation

As mentioned, authenticating email won't mean messages will reach intended recipients. Receivers continue to use in spam filters and third-party resources to ensure end users get only the messages they want. First- and third-party whitelist programs and data accountability will go hand in hand with authentication.

Managing these programs will be increasingly difficult. Establishing your own static IP address is critical for authentication, reputation, and accreditation.

Authentication Won't Replace Content Review or Enhanced Permission

We have amazing tools to proof content and determine whether a message will trigger spam filters. An extra authentication layer won't mean messages will reach intended recipients. The dramatic increase in individual and enterprise Bayesian filters, which don't report messages as undeliverable and usually only stop portions of a campaign, will require scrupulous campaign analysis.

Authenticating email won't allow senders to relax permission practices. If anything, the opposite is true since authenticated senders will increasingly become more accountable for bounce management and recipient complaints. If senders hold themselves more accountable through authentication, receivers may reply with email addresses of user complaints so senders can stop them from receiving future messages.

Authentication must be adopted by all parties as quickly as possible. Whatever the final specification, it's a much needed toolset for receivers to differentiate legitimate messages from spam. Yet authentication is only a gateway resource. Accreditation, reputation, content, and permission will continue to function as server- and client-level filters, requiring extensive management and dispute resolution.

One day, email will be analogous to expedited shipping: You may have to invest extra time and resources into getting it there, but you'll sleep better at night knowing it's going to get there.

This is my last column for ClickZ. Thanks for your readership and your amazing responses these past 18 months.

Want more email marketing information? ClickZ E-Mail Reference is an archive of all our email columns, organized by topic.

ClickZ Live San Francisco This Year's Premier Digital Marketing Event is #CZLSF
ClickZ Live San Francisco (Aug 11-14) brings together the industry's leading practitioners and marketing strategists to deliver 4 days of educational sessions and training workshops. From Data-Driven Marketing to Social, Mobile, Display, Search and Email, this year's comprehensive agenda will help you maximize your marketing efforts and ROI. Register today!

ABOUT THE AUTHOR

Ben Isaacson

Ben Isaacson is the privacy and compliance leader for Experian, overseeing Internet and advanced technology privacy and compliance affairs across Experian Marketing Services products including CheetahMail, Digital Advertising Services, and Hitwise. Mr. Isaacson's previous roles include serving as the executive director of the Association for Interactive Marketing (AIM), a former DMA subsidiary. He regularly blogs at EmailResponsibly.com.

COMMENTSCommenting policy

comments powered by Disqus

Get ClickZ Email newsletters delivered right to your inbox. Subscribe today!

COMMENTS

UPCOMING EVENTS

Featured White Papers

BigDoor: The Marketers Guide to Customer Loyalty

The Marketer's Guide to Customer Loyalty
Customer loyalty is imperative to success, but fostering and maintaining loyalty takes a lot of work. This guide is here to help marketers build, execute, and maintain a successful loyalty initiative.

Marin Software: The Multiplier Effect of Integrating Search & Social Advertising

The Multiplier Effect of Integrating Search & Social Advertising
Latest research reveals 68% higher revenue per conversion for marketers who integrate their search & social advertising. In addition to the research results, this whitepaper also outlines 5 strategies and 15 tactics you can use to better integrate your search and social campaigns.

WEBINARS

Jobs

    • Customer Service Representative
      Customer Service Representative (Common Sense Publishing) - Delray BeachDo you thrive on chaos? Love to multi-task? Enjoy a fast paced work environment...
    • Business Intelligence and Reporting Analyst
      Business Intelligence and Reporting Analyst (Stansberry and Associates) - BaltimoreStansberry and Associates is seeking a driven individual to fill...
    • Internet Marketing Campaign Manager
      Internet Marketing Campaign Manager (Straight North, LLC) - Fort MillWe are looking for a talented Internet Marketing Campaign Manager to join the...