Email authentication gaining steam

The two major proposals solve the problem in different ways. Sender ID, based on Microsoft's Caller ID proposal and the Sender Policy Framework (SPF) created by Meng Wong, the founder of email service firm Pobox.com, authenticates email by checking the address of the sending server against a record added to domain name servers. DomainKeys use public-private key pairs to authenticate the message. Like Sender ID, the identifying information - in this case, the public key - is published in a special record stored on domain name servers.

"Authentication is authentication and nothing more," Sendmail spokesperson Allman said, who is also the lead editor of the DomainKeys Identified Mail (DKIM) proposal to the IETF. "It is like a driver's license or a passport. It tells you nothing about my driving record. Spammers can authenticate just like anyone else."

In fact, early studies of junk mail in 2004 found that nearly a sixth used the Sender Policy Framework, the predecessor to Sender ID, to appear legitimate.

However, as more legitimate domains are adopting the technologies, companies are developing reputation systems to evaluate which domains are considered "spammy" and which deliver content that people want in their inboxes. Spammers will not be able to spoof legitimate domains and still authenticate. And, email software can create a list of unwanted mail from a typo domains, such as micros0ft.com, that might otherwise fool the user.

"Authentication is a really big building block in terms of making a more intelligent determination of what is spam and what is not," said Ken Schneider, chief architect for Symantec and former chief technology officer at email security provider Brightmail (Symantec owns SecurityFocus). "If you are tracking reputation on top of this stuff, then it gives you the tools to detect attacks."

The technologies also help defeat phishing attacks, which have grown as an internet problem, Schneider said. In the second half of 2005, one in every 119 emails was identified by Symantec as a phishing attempt.

In a report published on Wednesday, the Email Sender and Provider Coalition found that the major ISPs representing the recipients of more than half the internet's email were using the email authentication technologies in some way.

But this is not a time to ease up on the pressure to adopt the technology, said Microsoft's Spiezle. More education and development is necessary, he said.

"There is no perfect solution right now," Spiezle said. "With any of these approaches, we need to be looking ahead and not at our shadow, because the deceptive forces out there will be looking for new ways to attack."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus