Renovating E-Mail With Identity in Mind

  |  December 11, 2003   |  Comments

E-mail senders, ISPs and vendors take the first steps toward an overhaul of SMTP.

That email message may appear to be from PayPal or EarthLink, but is it really? To know for sure, email needs an identity verification system, and there's a growing consensus among email senders and recipients that one should be developed.

The latest two proposals, which were released over the past few days, come from portal giant Yahoo and email infrastructure company IronPort Systems, which has a partnership with the Network Advertising Initiative's Email Service Provider Coalition (ESPC). Both proposals are chiefly aimed at establishing a technical specification to allow email recipients to verify sender identity. The next step, many in the industry believe, would be to tie a reputation rating -- something like a credit report -- to that identity. But industry-watchers seem to agree getting beyond email's anonymous nature should be the first step.

"The core issue with email is the lack of identity and the lack of accountability," said Tom Gillis, senior VP of marketing at IronPort.

Yahoo's proposed system, DomainKeys, is intended to ensure email communications are really from the domains listed in the sender field. This would allow email administrators to short-circuit messages from spammers and phishers . These scam artists often "spoof" , or use the domains and email addresses of, legitimate businesses to lend credibility to their missives and get unsuspecting recipients to open the email.

DomainKeys would also help ISPs and email providers like Yahoo, as well as enterprises, disavow email messages that misappropriate their domain names.

"By initially addressing identity through DomainKeys, we aim to knock down the first domino in the path to solving the authentication issue, ultimately decreasing the annoyance spam causes for our users," said Brad Garlinghouse, VP of communication products at Yahoo.

Yahoo execs have submitted the proposal to industry leaders and colleagues at America Online, MSN and EarthLink. The big three portal players, all of which provide ISP service, earlier this year vowed to work together to fight spam. EarthLink later joined the so-called Spam Alliance. Yahoo said it plans to make the proposal document more widely available in the coming days.

DomainKeys' approach combines public-key cryptography with the domain name system . The domain name owner, who presumably controls the email sent out using the domain name as a sender address, uses the private key to generate a digital signature that's added to the header of every message that goes out. The owner also places the corresponding public key on his server.

When the message is received, the email system extracts the digital signature and the claimed sending domain. It then fetches the public key from the domain name owner's server and determines whether the signature was generated by the corresponding private key -- thereby verifying the sender's relationship with the domain.

"It's very good news," said Margaret Olson, chief technology officer of Roving Software and co-chair of the ESPC technology committee, speaking of the Yahoo proposal. "The entire industry is coming to the conclusion that this is the type of solution that needs to be implemented."

The ESPC itself had issued a more ambitious blueprint, called Project Lumos, back in September. Olson said everything in the Yahoo proposal was "completely consistent" with Lumos. Yahoo's is more of a practical first-step plan, while Lumos is further reaching.

IronPort Systems has agreed with the ESPC to be one of the "federated registries" to track identity and reputation under the Lumos plan. But it, too, sees a need for a first, baby step.

That's why IronPort this week released a proposal for SMTPi, which stands for Simple Mail Transfer Protocol with identity features added. Initially, SMTPi would use IP address-based whitelisting combined with extra identification codes in the header to declare the email's campaign, sender, and email service provider.

Senders would have to record those extra identification elements in a central registry and include them in the headers of email messages they send. Receiving systems would look at the IP address of the last server sending the message -- the only part of an email header that can't be forged -- and check to see if it's present in the registry. If it is on the IP whitelist, the receiver will know to trust the campaign, sender, and email service provider codes.

The second phase in the SMPTi proposal has similar goals to Yahoo's DomainKeys, though it goes about the domain authentication in a very different manner. Under SMPTi, domain owners specify, using the DNS, which IP addresses are allowed to send mail claiming to be from a given domain. Then, when recipients get mail they can check to see whether the IP address and the purported domain of the sender match. If they don't, the recipient may want to discard the message.

The third stage, which bears the most resemblance to Project Lumos, involves the issuance of digital identity certificates and public-key encryption. Senders would digitally sign messages using their private key and embed a certificate in the header of each message. Using the sender's public key, the receiver verifies the certificate and validates the message.

"The problem," says IronPort's white paper on the subject, "is that such a system would require a dramatic overhaul of the existing email infrastructure, requiring years before such a system becomes viable."

Roving Software's Olson predicts Yahoo's and IronPort's proposals are just the first among many that will be floated over the next few weeks. While the basic premises will be similar, said Olsen, "there's going to have to be a lot of running around and making sure all the details are the same" before anything can be implemented. "Of course, there will be some balkanization. That's one of the things you just have to get through.

"The network effect is so powerful," she said, "once this begins to be adopted, it's in everyone's best interest to have the same protocols and the same details."

ClickZ Live Chicago Learn Digital Marketing Insights From Leading Brands!
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda, or register and attend one of the best ClickZ events yet!

ABOUT THE AUTHOR

Pamela Parker

Pamela Parker is a former managing editor of ClickZ News, Features, and Experts. She's been covering interactive advertising and marketing since the boom days of 1999, chronicling the dot-com crash and the subsequent rise of the medium. Before working at ClickZ, Parker was associate editor at @NY, a pioneering Web site and e-mail newsletter covering New York new media start-ups. Parker received a master's degree in journalism, with a concentration in new media, from Columbia University's Graduate School of Journalism.

COMMENTSCommenting policy

comments powered by Disqus

ClickZ Today is our #1 newsletter.
Get a daily dose of digital marketing.

COMMENTS

UPCOMING EVENTS

UPCOMING TRAINING

Featured White Papers

Google My Business Listings Demystified

Google My Business Listings Demystified
To help brands control how they appear online, Google has developed a new offering: Google My Business Locations. This whitepaper helps marketers understand how to use this powerful new tool.

5 Ways to Personalize Beyond the Subject Line

5 Ways to Personalize Beyond the Subject Line
82 percent of shoppers say they would buy more items from a brand if the emails they sent were more personalized. This white paper offer five tactics that will personalize your email beyond the subject line and drive real business growth.

WEBINARS

    Information currently unavailable

Resources

Jobs