E-mail authentication: The choices

Some observers criticize IT vendors for not agreeing on a single, standard way for dealing with evil e-mail. The key e-mail authentication protocols are Microsoft's Sender ID Framework (SIDF), with its Sender of Policy Framework (SPF) records, and the rival Yahoo/Cisco DomainKeys Identified Mail (DKIM).

But a good case can be made that e-mail senders, Internet service providers and e-mail recipients should use both SIDF and DKIM.

"Domain owners are well advised to publish information using both standards, and e-mail recipients can use both standards to help filter spam," says Richi Jennings, an e-mail security analyst at Ferris Research.

But, he adds, "DKIM is better because the methods used to verify that the sender was authorized to use that domain are stronger. SPF/Sender ID has issues with mail lists and other things that autoforward mail."

DKIM is stronger, Jennings says, because it generates cryptographic hashes of content using keys owned by the e-mail sender's domain, while SIDF is simply based on which IP address the message comes from. "This means that DKIM is harder to set up and a little more expensive in terms of computing horsepower," he says.

John Scarrow, Microsoft's general manager of antispam and antiphishing strategy, agrees that the approaches are complementary. "By utilizing both, e-mail senders receive optimal protection and functionality across the board," he says. He acknowledges that DKIM is better for automatic forwarding by servers, such as when a user configures his Hotmail account to automatically forward messages to his Microsoft account.

But Scarrow argues that DKIM requires users to upgrade to both outbound and inbound message-transfer agents (MTA), such as Microsoft's Exchange Server, and affects "about 10 percent to 15 percent of computing cycles, while SIDF has no outbound impact to the MTA and negligible impact to any computing resources."

The future of electronic communications: Alternate realities

If you think you've conquered the ills of e-mail, you ain't seen nothin' yet, says futurist Paul Saffo.

"Look at all the indignation in the corporate world about salespeople using instant messaging to talk to customers," he says. "Some companies have gone to fire these people and found that all their data is out on a commercial-grade IM system and they can't get to it. Then they have hideous Sarbanes-Oxley problems, plus security problems and everything else."

It will get worse, Saffo predicts, when employees install MMORPGs -- massively multiplayer online role-playing games -- on their desktop computers and when they use their company laptops to travel through online societies like Second Life.

"CIOs worry about improper use of corporate systems by employees. But the bigger problem will be employee use of noncompany systems for company purposes," he says. "If the CIO has a problem getting his head around IM, just wait until he discovers that his employees are creating private lives in Second Life and inviting their clients to come hang out with them."

But at least one IT manager seems to have gotten his head around the problem. "We do not see it as a problem," says Matthew Marks, head of integrated user services at Aetna. "Our Web filtering software blocks specific and whole genres of Web sites from our employees, such as sex, violence, hatred and so on. We already block www.secondlife.com. As more of these types of sites become prevalent, the software will filter these out. We also do not allow IM outside of the company, and we do not allow people to download software from the Internet."