After E-mail Authentication

The embrace of email authentication by commercial senders, one of the key issues facing the email industry, is coming along nicely.

The adoption level grew by 60 percent last year and is at a point where most large commercial senders are using one or both of the two dominant frameworks. According to data from the E-mail Senders & Providers Coalition (ESPC), more than 35 percent of all mail now sent is being authenticated.

The logical question many email stakeholders are now asking is, what comes next? At the second annual E-mail Authentication Summit this week in Chicago, many of them will take up that question, discussing what will drive further adoption, issues of enforcement, and how to layer on reputation services once a sender’s identity is known.

Dueling Protocols Make Peace

It has been two years since the first email authentication standard, the open source Sender Policy Framework (SPF) hit the scene. SPF still exists as a standalone authentication protocol, with AOL as a strong backer, but it was also incorporated into Microsoft’s Sender ID Framework (SIDF), making SIDF the early leader in authentication methods.

Two cryptographic approaches, Yahoo’s DomainKeys and Cisco’s Internet Identified Mail, were created around the same time as the path-based authentication methods of SIDF and SPF. They were combined last year to create DomainKeys Identified Mail (DKIM), which has emerged as the leader in “signed” solutions.

Sender ID and DKIM, once seen as an either-or proposition, are now beginning to be recognized as complementary authentication technologies, as each has different strengths and weaknesses. SIDF’s value is based on the ease of implementation, no hard costs and no impact to server performance. The DKIM cryptographic solution conducts a more rigorous examination of a message than path-based approaches like Sender ID.

“Our vision has always been that IP-based solutions are the first step, and then senders will move toward more sophisticated signed solutions,” said Trevor Hughes, executive director of the ESPC.

Craig Spiezle, chair of the E-mail Authentication Summit and director of the technology care and safety group at Microsoft, voiced a similarly inclusive sentiment.

“We believe that the combination of multiple technologies deployed through a multi-phased approach will elicit more robust protections for the range of platforms, user environments and deployment requirements worldwide,” he said. “We are finding that Sender ID is proving to offer a significant business value. However, we see the value of DKIM as a complementary solution and expect many organizations will choose to implement both solutions.”

Adoption and Enforcement

All 58 members of the ESPC have implemented some form of authentication, both for mail sent on behalf of clients and in corporate email, and more than 70 percent of Fortune 100 companies are sending at least some authenticated mail, according to Hughes.

“We’re significantly ahead of where we were last year,” he said. “Senders are increasingly recognizing that it’s absolutely imperative to authenticate their messages.”

Some ISPs have already begun to attach consequences to failed authentication or unauthenticated messages. Yahoo has been a leader in enforcement of authentication. It was the first to put a visual alert in the user interface to show which messages are being authenticated via DomainKeys. MSN’s Hotmail has used SPF and Sender ID in its spam filters for a few years, and has begun providing “negative notice” to its users, alerting them when a message cannot be authenticated.

Still, many ISPs are still not implementing authentication heavily, according to Ben Isaacson, privacy & compliance leader at Experian’s CheetahMail, and co-chair of the ESPC’s receiver relations committee. “It’s a ’chicken or the egg’ situation. The ISPs have to wait until the major senders are on board before implementing it and beginning to penalize senders for not authenticating,” he said.

While most ISPs are not enforcing authentication as the only path to a user’s inbox, many are giving it more weight in their spam filters and deliverability algorithms. The ESPC plans to release a report later this week showing which authentication methods have been adopted by the major ISPs and outlining the ways they are implementing them, Hughes said.

The keys to continued authentication adoption are industry collaboration, research into new technologies to protect against current and future threats, and industry education to teach businesses why authentication is important and how to implement it, according to Microsoft’s Spiezle.

Next Step: Reputation

The progress in adoption of authentication by senders will be slower going from here, as lots of smaller senders get onboard, according to Dave Lewis, VP of alliances and market development at StrongMail and a member of the ESPC steering committee. The next group to pressure into adopting authentication is the body of large corporate senders, who send transactional or relational messages via email.

And once that happens, it will be time to layer on reputation services.

“We’re at a point in the adoption curve with authentication where we’re really reaching critical mass. After that happens, we can shift to the second step, which is solving reputation issues,” said Lewis. Once they feel critical mass has been achieved, ISPs will feel more confident in taking assertive action against those senders who don’t authenticate, or those who are doing it wrong, he said.

Where authentication methods like SIDF and DKIM verify that a sender is who they say they are, reputation services take that sender’s identity and check it against a database of their sending practices, checking for things like bounce rates, unsubscribe practices and user complaints. Habeas, Return Path’s Bonded Sender, and Goodmail are three of the leaders in the reputation space.

One issue slowing the adoption of reputation services is the abundant grey area surrounding reputation. Where authentication tends to be black and white — either a sender is or is not who they say they are — reputation calls for more subjective analysis of data taken from several sources, weighted according to a subjective decision of the provider.

Without endorsing any provider or approach, the ESPC will be sharing at this week’s summit a set of best practices that should be followed by a reputation service provider, Hughes said. That list will include things like having transparent data as the basis for reputation scores, sharing information with senders about kinds of practices that might impact scores, and giving senders clear methods to improve or manage their reputation in the system, he said.

“Without a clear understanding of the factors that may help or harm their reputation, and a way to manage their reputation, senders will have no incentive to participate,” Hughes said.

As ISPs begin to enforce authentication and reputation, more legitimate mail will pass through to the destination with a positive reputation. That will create “a true win-win for businesses and users, because it improves trust and confidence in email,” according to Microsoft’s Spiezle.