The Identity Crisis and E-Mail Authentication: Finding Your Identity

SPF (define), Sender ID, Domain Keys, Identified Internet Mail (IIM), client SMTP validation (CSV), and, bounce address tag validation (BATV). What is this alphabet soup? These are just six of the proposed sender authentication schemes that might someday represent your identity as a sender.

I’ve been thinking a lot about this identity crisis lately. I spent the past month attending a variety of events that culminated with INBOX East in Atlanta. Although no one could agree on one sender solution, a few things were consistent across all these events.

We’re Not There Yet

The endless discussion of sender identity, accreditation, and reputation offers the sobering realization we’re further from fixing the spam/spoof/phish problem with one standard than anyone wants to admit. Although it’s wonderful to see the love among the ISPs and MTA (define) vendors, everyone is still protecting his pet project.

Yahoo’s Domain Keys is gaining traction with other ISPs, but it’s nearly identical to Cisco’s IIM. Can’t we just put our corporate interests aside and agree on one standard?

Many agree for sender authentication to work, we need to take a cryptography-based approach, such as Domain Keys. But rolling that into SPF/Sender ID doesn’t seem likely in the near term. One big stumbling block is users with sender addresses different from their sending domains, such as a business traveler connecting through an Internet café or other WI-FI hot spot. Perhaps in those exceptions, we use something like challenge/response. But to suppress a spammer on the move, this isn’t an ideal solution or very different from what we have today.

Little Marketing Input

There was a general absence of real-world implications on good-guy marketers just trying to get their mail out. Not that we didn’t discuss it; heck, I moderated a panel on it. But there weren’t many marketers in the room to join the discussion.

The Email Service Provider Coalition (ESPC) was present, representing the email service providers (ESPs) large and small, but the conversations seemed to be dominated by the ISPs and mail infrastructure vendors. Even concepts such as reputation leaned more toward the blacklisting types of services rather than the white variety favored by permission marketers. We shouldn’t build a world of sender standards on the presumption of guilt before innocence.

Open to the Public

Perhaps the public debate we’re having on these probable solutions is too public. Didn’t anyone notice the spammers in the room or the possibility of phishers dialed into the FTC authentication summit? Perhaps we need to make the secret sauce a little bit more, well, secret. Shouldn’t we check identities and reputations at the door before letting people in? Maybe not, because that would likely require yet another standards body to put that solution in place.

The whole notion of open identity standard is predicated on the broad distribution of these authentication systems. Let’s not fool ourselves. It won’t take spammers long to get on board with them. It just means identity without accreditation and reputation doesn’t do us much good. If you think these identity debates are heated, wait until we tackle reputation. But more on that another time.

Mitigate Delivery Risks

There are many well-intentioned, smart people working hard to solve this identity crisis. To paraphrase a recent presidential candidate: This is hard work; these are tough problems. Until it’s all figured out, what should you do? Here are some ideas to help mitigate delivery risks in the near term:

  • Work with an ESP that has working relations with the large ISPs. There are tons of great ESPs out there.
  • Identify delivery problems by working with a delivery auditing services provider, such as Return Path, Piper Software, Pivotal Veracity, or EnhanceRate.
  • If you aren’t publishing SPF records and want to be whitelisted with AOL, start publishing those records now. Go here to learn about AOL’s specifics.
  • Concerned about getting mail delivered to Hotmail or MSN, especially those critical transactional messages? Look into Bonded Sender.
  • Most important, adhere to all those good permission email marketing practices, such as bounce suppression, list hygiene, and dedicated IP addresses for commercial and transactional mail.

These are just a handful of ideas to start out with.

Good luck finding and securing your identity. Let me know how it works out.

Want more email marketing information? ClickZ E-Mail Reference is an archive of all our email columns, organized by topic.

Related reading

Overhead view of a row of four business people interviewing a young male applicant.