E-mail Group Urges Authentication

The E-mail Service Provider Coalition (ESPC) is toughening up its stance on email authentication, now requiring members to implement authentication for all email they send on behalf of clients — many of which are marketers. The ESPC will also mandate members use authentication when sending their corporate email.

“As an industry of concerned senders and receivers, we need to collectively take the next step toward email accountability,” said the ESPC in a position statement unveiled today at the Inbox West trade show in San Jose, Calif. “E-mail accountability represents our industry’s best chance to restore confidence, and take the medium back from the spammers.”

“The medium has tremendous potential, but if we lose consumer confidence in it, in terms of its trustworthiness or its reliability, that potential remains unrealized, and it could have far-reaching consequences,” said Dave Lewis, VP of marketing at StrongMail Systems and co-chair of the ESPC’s Receiver Relations Committee, which authored the statement.

The organization, composed of 62 member companies, had previously required all new members to be compliant with the Sender Policy Framework (SPF) authentication standard, while urging existing members to become compliant as soon as possible. Based on a recent survey of its membership, the ESPC found that 97 percent were authenticating outbound client email; and 73 percent were authenticating both client and corporate email.

The ESPC suggests that email senders immediately implement the IP-based Sender ID Framework, developed last year by combining Microsoft’s Sender ID with the open source Sender Policy Framework (SPF). The organization advises that other authentication standards, such as cryptographic solutions, can then be added on top of the Sender ID authentication where needed.

The two most widely adopted cryptographic solutions, DomainKeys from Yahoo and Internet Identified Mail from Cisco, have been combined into one solution called DomainKeys Identified Mail (DKIM), the companies announced today. DKIM uses public key cryptography to allow users to verify and maintain message integrity, and clearly identifies legitimate messages.

The ESPC is also calling upon major ISPs and other large email receivers to begin checking all inbound email for a correctly published SPF record, and notify members when a sender’s identity cannot be authenticated.

“Nothing will get the attention of a direct marketer faster than something that impacts their bottom line, and a message to end users stating that their message can’t be authenticated is going to affect open rates, click rates and conversion,” Lewis said.

The ESPC is also asking ISPs to regularly publish their adoption statistics to keep the industry and email users informed of the progress of the authentication initiative.

“While advocating that receivers provide senders with notice on incorrectly authenticated mail or their intention to blacklist or bounce unauthenticated mail, the ESPC firmly believes that it’s in our mutual best interests for receivers to start taking definitive action based on the results of their authentication tests. We need receivers to reject mail from the spammers and phishers who are degrading our brands and destroying our medium,” said the ESPC in its statement.

ESPC members include Experian’s CheetahMail, Constant Contact, Digital Impact, DoubleClick, ProspectivDirect, Return Path, Skylist, and StrongMail Systems. In April, the group expanded its membership beyond email service providers to include email infrastructure providers, mail transfer agents, Internet service providers, non-profits, anti-spam application providers and deliverability solution providers. At that time, it added 13 new members, including Microsoft, Sendmail, IronPort Systems, and the Financial Publishers Association.

Related reading