After E-mail Authentication

  |  April 17, 2006   |  Comments

With more than 35 percent of all mail now being authenticated, e-mail watchers are looking ahead to the next wave of issues.

The embrace of email authentication by commercial senders, one of the key issues facing the email industry, is coming along nicely.

The adoption level grew by 60 percent last year and is at a point where most large commercial senders are using one or both of the two dominant frameworks. According to data from the E-mail Senders & Providers Coalition (ESPC), more than 35 percent of all mail now sent is being authenticated.

The logical question many email stakeholders are now asking is, what comes next? At the second annual E-mail Authentication Summit this week in Chicago, many of them will take up that question, discussing what will drive further adoption, issues of enforcement, and how to layer on reputation services once a sender’s identity is known.

Dueling Protocols Make Peace

It has been two years since the first email authentication standard, the open source Sender Policy Framework (SPF) hit the scene. SPF still exists as a standalone authentication protocol, with AOL as a strong backer, but it was also incorporated into Microsoft’s Sender ID Framework (SIDF), making SIDF the early leader in authentication methods.

Two cryptographic approaches, Yahoo’s DomainKeys and Cisco’s Internet Identified Mail, were created around the same time as the path-based authentication methods of SIDF and SPF. They were combined last year to create DomainKeys Identified Mail (DKIM), which has emerged as the leader in "signed" solutions.

Sender ID and DKIM, once seen as an either-or proposition, are now beginning to be recognized as complementary authentication technologies, as each has different strengths and weaknesses. SIDF’s value is based on the ease of implementation, no hard costs and no impact to server performance. The DKIM cryptographic solution conducts a more rigorous examination of a message than path-based approaches like Sender ID.

"Our vision has always been that IP-based solutions are the first step, and then senders will move toward more sophisticated signed solutions," said Trevor Hughes, executive director of the ESPC.

Craig Spiezle, chair of the E-mail Authentication Summit and director of the technology care and safety group at Microsoft, voiced a similarly inclusive sentiment.

"We believe that the combination of multiple technologies deployed through a multi-phased approach will elicit more robust protections for the range of platforms, user environments and deployment requirements worldwide," he said. "We are finding that Sender ID is proving to offer a significant business value. However, we see the value of DKIM as a complementary solution and expect many organizations will choose to implement both solutions."

Adoption and Enforcement

All 58 members of the ESPC have implemented some form of authentication, both for mail sent on behalf of clients and in corporate email, and more than 70 percent of Fortune 100 companies are sending at least some authenticated mail, according to Hughes.

"We’re significantly ahead of where we were last year," he said. "Senders are increasingly recognizing that it’s absolutely imperative to authenticate their messages."

Some ISPs have already begun to attach consequences to failed authentication or unauthenticated messages. Yahoo has been a leader in enforcement of authentication. It was the first to put a visual alert in the user interface to show which messages are being authenticated via DomainKeys. MSN’s Hotmail has used SPF and Sender ID in its spam filters for a few years, and has begun providing "negative notice" to its users, alerting them when a message cannot be authenticated.

Still, many ISPs are still not implementing authentication heavily, according to Ben Isaacson, privacy & compliance leader at Experian’s CheetahMail, and co-chair of the ESPC’s receiver relations committee. "It’s a ’chicken or the egg’ situation. The ISPs have to wait until the major senders are on board before implementing it and beginning to penalize senders for not authenticating," he said.

While most ISPs are not enforcing authentication as the only path to a user’s inbox, many are giving it more weight in their spam filters and deliverability algorithms. The ESPC plans to release a report later this week showing which authentication methods have been adopted by the major ISPs and outlining the ways they are implementing them, Hughes said.

The keys to continued authentication adoption are industry collaboration, research into new technologies to protect against current and future threats, and industry education to teach businesses why authentication is important and how to implement it, according to Microsoft’s Spiezle.

Next Step: Reputation

The progress in adoption of authentication by senders will be slower going from here, as lots of smaller senders get onboard, according to Dave Lewis, VP of alliances and market development at StrongMail and a member of the ESPC steering committee. The next group to pressure into adopting authentication is the body of large corporate senders, who send transactional or relational messages via email.

And once that happens, it will be time to layer on reputation services.

"We’re at a point in the adoption curve with authentication where we’re really reaching critical mass. After that happens, we can shift to the second step, which is solving reputation issues," said Lewis. Once they feel critical mass has been achieved, ISPs will feel more confident in taking assertive action against those senders who don’t authenticate, or those who are doing it wrong, he said.

Where authentication methods like SIDF and DKIM verify that a sender is who they say they are, reputation services take that sender’s identity and check it against a database of their sending practices, checking for things like bounce rates, unsubscribe practices and user complaints. Habeas, Return Path’s Bonded Sender, and Goodmail are three of the leaders in the reputation space.

One issue slowing the adoption of reputation services is the abundant grey area surrounding reputation. Where authentication tends to be black and white -- either a sender is or is not who they say they are -- reputation calls for more subjective analysis of data taken from several sources, weighted according to a subjective decision of the provider.

Without endorsing any provider or approach, the ESPC will be sharing at this week’s summit a set of best practices that should be followed by a reputation service provider, Hughes said. That list will include things like having transparent data as the basis for reputation scores, sharing information with senders about kinds of practices that might impact scores, and giving senders clear methods to improve or manage their reputation in the system, he said.

"Without a clear understanding of the factors that may help or harm their reputation, and a way to manage their reputation, senders will have no incentive to participate," Hughes said.

As ISPs begin to enforce authentication and reputation, more legitimate mail will pass through to the destination with a positive reputation. That will create "a true win-win for businesses and users, because it improves trust and confidence in email," according to Microsoft’s Spiezle.

ClickZ Live San Francisco This Year's Premier Digital Marketing Event is #CZLSF
ClickZ Live San Francisco (Aug 11-14) brings together the industry's leading practitioners and marketing strategists to deliver 4 days of educational sessions and training workshops. From Data-Driven Marketing to Social, Mobile, Display, Search and Email, this year's comprehensive agenda will help you maximize your marketing efforts and ROI. Register today!

ABOUT THE AUTHOR

Kevin Newcomb

Kevin Newcomb joined ClickZ in August 2004, covering search marketing and other online marketing topics. He has been reporting on web-based businesses since 2000.

Before the bubble burst, Kevin was a marketing manager for an online computer reseller, handling copywriting, e-mail marketing, search marketing and running the affiliate program.

With a combination of real-world marketing experience and years of business journalism, Kevin brings to ClickZ a unique ability to deliver news and training materials that help online marketers do their jobs better.

COMMENTSCommenting policy

comments powered by Disqus

ClickZ Today is our #1 newsletter.
Get a daily dose of digital marketing.

COMMENTS

UPCOMING EVENTS

Featured White Papers

BigDoor: The Marketers Guide to Customer Loyalty

The Marketer's Guide to Customer Loyalty
Customer loyalty is imperative to success, but fostering and maintaining loyalty takes a lot of work. This guide is here to help marketers build, execute, and maintain a successful loyalty initiative.

Marin Software: The Multiplier Effect of Integrating Search & Social Advertising

The Multiplier Effect of Integrating Search & Social Advertising
Latest research reveals 68% higher revenue per conversion for marketers who integrate their search & social advertising. In addition to the research results, this whitepaper also outlines 5 strategies and 15 tactics you can use to better integrate your search and social campaigns.

WEBINARS

Jobs

    • Interactive Product Manager
      Interactive Product Manager (Western Governors University) - Salt Lake CityWestern Governors University, one of the 20 largest universities...
    • SEO Senior Analyst
      SEO Senior Analyst (University of Phoenix (Apollo Education Group)) - San FranciscoSEO Senior Analyst   Position Summary...
    • SEM & Biddable Media Manager
      SEM & Biddable Media Manager (Kepler Group LLC) - New YorkAs an Optimization & Innovation Manager at Kepler Group, you will be on the bleeding...