FTC's Summit Energizes E-Mail Players
Attendees at the FTC's E-mail Authentication Summit came away ready to take action, with a positive view of the future.
The prevailing message attendees took away from the E-mail Authentication Summit held this week in Washington D.C. was that Sender ID, though not a perfect solution, is still worth implementing, and implementing soon.
“All of the people in this discussion have a common goal — to preserve and protect email,” said Trevor Hughes, executive director of the E-mail Service Provider Coalition, an organization representing many of the largest email senders in the industry. “Once folks get past the brand names involved and some of the noise from the periphery, we really find that common ground, and that’s really empowering.”
Industry leaders from all sides of the email authentication issue came together at the summit, which was sponsored by the Federal Trade Commission (FTC) and National Institute of Standards and Technology (NIST).
“What I had hoped for was a very high-profile discussion of the various proposals in the marketplace, and I think we got that,” Hughes said. “Beyond that, we saw more consensus building, consolidation and an energy emerging behind the need for email authentication.”
The two prevailing models for authentication are IP-based and cryptography-based solutions. IP-based, or domain-based solutions, require senders to publish a record to their DNS records indicating what domains are allowed to send mail on their behalf. On the receiving end, such as at an ISP, the record is checked against fields in the message header to make sure a sender is who they say they are. The dominant IP-based solution is Microsoft’s Sender ID, which now is backwards compatible with Sender Policy Framework (SPF), which has been widely adopted by AOL and others. (With these changes, AOL and at least 35 other companies have written a letter to the FTC in support of Sender ID.) The open source Client SMTP Validation (CSV) was also discussed at the summit.
With a crypto-based solution, the sender attaches a secure key to each message, and the receiver checks that message key against a public key to make sure it’s legitimate. Crypto-based solutions at the conference were represented by Yahoo’s Domain Keys, the clear leader, as well as Cisco’s Identified Internet Mail (IIM) and the open source Bounce Address Tag Validation (BATV).
“There are certainly people who want fewer choices, but we’re in the testing phase, so we can’t satisfy that,” said Dave Crocker, principal at Brandenburg Internetworking, who serves a consulting role with the CSV and BATV specifications. “We all would like to see fewer choices, but we want to make sure they’re useful. We need to be very careful not to eliminate any alternatives before understanding their benefits.”
One point of contention at the conference was whether to move directly to a crypto-based solution immediately, or to start with an IP-based solution and develop the crypto-based solution in parallel. There was a group at the event that supported dispensing with any IP-based solution and moving directly to a crypto-based one, including Yahoo and EarthLink.
Hughes said the ESPC does not agree with that idea, but does support the development of a crypto-based solution to work in conjunction with Sender ID. He expects all members of the ESPC to be publishing their SPF records for Sender ID compliance by the end of the year.
IP-based solutions are generally considered to be easier to implement, in terms of time, expense and bandwidth on both the sending and receiving ends, but not as effective as a crypto-based solution. Hughes said this makes them a good first step that will offer enough benefit from implementing them to outweigh the points where they are lacking.
“We see that now as the second stage of authentication. It is the right way for us to end up, but the implementation costs, particularly on the receiving side, are challenging. We think we need something now, so we think we should implement an IP-based solution now and move to a crypto solution,” Hughes said. “The need is dire enough that we need to move forward with something today.”
For its part, Microsoft is of a similar mind, endorsing the idea of implementing Sender ID now, and working with Yahoo and Cisco on ways to add a crypto-based system as a second step, according to Microsoft spokesman Sean Sundwall.
“In the end, the two will be complementary,” he said. “The industry needs to get to a point where we adopt stuff. If we keep waiting, perfect will become the enemy of good, and we end up never deploying anything. We recognize that there are shortcomings in every solution, but we need to move on with this to lay the foundation for other things to come.”
One significant development coming out of the conference was an apparent consensus among major ISPs that it would be useful for them to share data with each other during the testing phases of Sender ID implementation, according to Dave Lewis, VP of deliverability and ISP management at Digital Impact.
He pointed to things like the percentage of mail being authenticated or rejected, as well as how they are handling edge cases and forwarding issues.
“If they get to the point where they’re going to reject records on the basis of not authenticating, they agreed to share that information with the community before those actions are taken,” Lewis said. “That was very positive. You don’t often get the major ISPs saying those sorts of things.”
Other positive themes at the conference included an attentiveness to the needs of small businesses and the sender community in general, as well as a positive momentum toward taking action, he said.
