Bad karma surrounds e-mail authentication plans

This week's powwow of e-mail heavyweights in Chicago returned the IT community's attention to the issue of e-mail message authentication, but the messaging community has too little to show for a year's worth of work, some say.

Microsoft, Yahoo, AOL, and others used the second annual summit to highlight adoption of sender authentication technologies and talk up their schemes for verifying e-mail senders and recipients. But some messaging experts complain that there are still too many competing authentication schemes to prevent technical conflicts and guarantee widespread adoption of e-mail authentication.

The second annual event, with the theme "Summit II -- Authentication & Reputatio-Building Online Confidence" was intended to highlight advances in the use of e-mail authentication technology after a year in which discussion and debate about it has faded.

Microsoft used the conference to promote adoption of the Sender ID, its e-mail authentication architecture, and to introduce "Smart Network Data Services," spam reports generated by the company's MSN and Windows Live services, and "MSN Postmaster Services" a new program to provide tools and best practice guidance for ISPs to manage their e-mail infrastructures with MSN and Windows Live users.

Sender ID increased threefold from 7 percent in July 2005 to 21 percent among Fortune 500 companies, said Craig Spiezle, director of technology care and safety at Microsoft.

Currently, about 32 percent of all e-mail sent is Sender ID-compliant, Spiezle said.

Many of the other companies and industry groups followed suit. The E-mail Sender and Provider Coalition -- formerly known as the E-mail Service Provider Coalition -- issued a report showing "rapid adoption of authentication standards by 18 of the nation's largest Internet Service Providers," including AOL, Microsoft, and Yahoo. The company also issued a document providing "guiding principles of e-mail reputation" and "a framework for public and private reputation services."

Enterprise messaging company StrongMail offered its own whitepaper "E-mail Authentication: The Time is Now" and a paper on "The Do's and Don'ts of E-mail Authentication."

Despite the good cheer, the e-mail authentication landscape is still as hopelessly crowded as it was a year ago, said Meng Wong, a messaging authentication expert who developed the SPF (Sender Policy Framework) standard, which later merged with a competing Microsoft architecture called Caller ID to become part of the Sender ID framework.

"One of the big mistakes in authentication was too many cooks in the kitchen," Wong said.

The industry managed to boil SPF, Caller ID, Domain Keys and IIM down to just two authentication schemes: Sender ID and DomainKeys Identified Mail, or DKIM, Wong said.

But the next stage in the evolution of e-mail messaging -- mail reputation and accreditation -- is even more complicated, with vendor-backed services such as Bonded Sender, Habeas, Goodmail , TrustE, SenderBase, Spamhaus, Spamcop, SenderIndex and SenderScore providing overlapping services and, in some cases, competing with one another.

The result is that enterprise IT staff are overwhelmed with options, but have little guidance about how to assemble a working solution that will spot and block fraudulent spam messages, Wong said.

"We need to build The Reputation Store where folks can just go in and buy what they want," Wong said.

At Principal Financial Services in Des Moines, Iowa, Corey Null said he passed on the Summit this year, after attending the inaugural show in New York City last April.

"The issue kind of dropped off for us," Null said.

Principal implemented SPF in August 2004 to sign outbound mail from the company's servers and uses an anti-spam appliance from IronPort. That company's Senderbase reputation service checks for SPF records on inbound mail, he said. In January, Principal began authenticating outbound e-mail using the DKIM technology.

In general the new authentication technology has been introduced and deployed without incident, though Null said Principal has had some legitimate e-mail rejected from "mom and pop" companies using low-end or freeware anti-spam tools that are unable to match the e-mail's DKIM signature, he said.

That said, the new layers of message authentication haven't put a dent in the volume of spam Principal gets, Null said.

"We haven't seen on our inbound side (spam volume) decrease any over the past few years," he said.

Spam is 92 percent of Principal's inbound mail, and that's after most inbound e-mail attempts are dropped because they don't pass the Senderbase reputation check. The real percentage of spam is probably up over 95 percent, Null said.

But the debate over e-mail authentication and reputation seems to him to have stalled.

"There doesn't seem to be any new advancement in the standards. The same questions seem to persist: [mail] forwarding and news groups, mass mailers and things like that, but there's no new solution around them," he said.

Happy with the service IronPort provides, Null said he has "moved on."

"I keep reading all documents. Whatever new standard comes out, I'll look at it," he said.

Wong agrees. His open source SPF standard took off quickly after he introduced it in 2003, even getting adopted by major ISPs like AOL. Now he plans to launch a new company to make sense of the complexity around e-mail authentication.

His new company, Karmasphere, will be an open-reputation network that will simplify and enable the reputation industry, he said.

"When you go to a restaurant, the meal you eat may have thirty different ingredients, from soup to nuts, but you don't worry about that; you just say, 'I'd like the Set Lunch, Combo A, please,' and everything just happens," he said. "We're trying to create that same level of convenience."

Join the newsletter!

Error: Please check your email address.

More about AOLHISMicrosoftMSNSpamCopTRUSTeYahoo

Show Comments

Market Place