Email Authentication Myths and Misconceptions
By Stephanie Jordan
Given the promise of email authentication's strong antispam and anti-phishing technology it may be surprising to learn (according to email service provider SKYLIST) an estimated half of all email marketers do not authenticate their messages. How can many consider email authentication to be an email delivery best practice-and yet we do not see a surge to adopt? Early proponents like SKYLIST, the Email Sender and Provider Coalition (ESPC), and Return Path among others, believe there is a need for more education and incentive to embrace the technology protocols.
"Many companies, particularly small ones, have never heard of email authentication. Those who have heard of it have not yet initiated a project to implement it," said Tom Bartel, chief privacy officer for Return Path in a recent blog.
There appear to be a number of myths and misconceptions surrounding email authentication that could be standing in the way of advancement. SKYLIST cites among the top reasons email marketers are not authenticating messages, the perception that authentication is difficult and costly. Both are false according to Josh Baer, CEO of SKYLIST. Baer says that, particularly for senders, authentication is straightforward. The greatest challenge is knowing all the ways used to send email-which for large enterprises can take time. Even Cisco Distinguished Engineer Jim Fenton, one of the DomainKeys Identified Mail (DKIM) authors says, "More and more of Cisco's messages will be signed over time. It takes a little while since we have email infrastructure all over the world that needs to be equipped with DKIM, but we are making a lot of progress."
Fenton acknowledges the hurdles to getting more organizations to adopt email authentication standards in this way, "I think we have a bit of a chicken egg problem. Email Authentication takes some work to implement and people are not willing to go to that trouble unless they see other people doing it."
Answering the Question: Why Bother?
Another commonly heard email authentication myth is that there is no benefit to authenticating. Baer disagrees, stating the benefit of authentication is that it ensures your messages don't get blocked once the major ISPs start mandating authenticated email. It already makes a difference at two of the biggest consumer ISPs- Yahoo! and MSN/Hotmail.
According to Bartel, "Email authentication has two primary benefits: It stymies forgery of email messages and allows senders to build a positive reputation with receivers, based upon their mailing behavior."
Still others are under the impression that email authentication will not solve the spam problem. Which is true-in and of itself authentication cannot. "Authentication was designed as the framework to establish reputation, which is the solution to stopping spam. It was never intended to be a silver bullet against spam. However, it is probably impossible to solve the spam problem without authentication," says Baer.
Dave Lewis, VP of alliances and market development for StrongMail Systems (and ESPC co-chair of the receiver relations committee responsible for evaluating reputation systems) has heard that before too, but he has heard the opposite as well. "Another key misconception out there is that email authentication will be a panacea and make everything good again. That is not what email authentication is either. It does not mean that by authenticating your records that magically you become a good player," warns Lewis. He believes that authentication is simply a mechanism by which the receiver of the email can ascertain the identity of the sender-making the identity itself neutral. It does not necessarily suggest good or bad practices. "There is a two-step remedy to the problem of spam, phishing, and spoofing, and it really comes down to knowing who the originator of the email is, and (once the identity is known) then associating practices with that sender. From there, we can make more rational decisions on whether to accept the email and where to put it. To me authentication is the critical first step to being able to establish accountability and that is what has been missing from email up until this point," states Lewis.
Which One?
SKYLIST also sites that some believe there is no consensus on one authentication standard so organizations do not know which one to support. Baer says that particularly for senders, the question of which protocol to go with is moot. Every sender should be implementing both Sender ID Framework (SIDF) and DKIM-as they are complementary, not mutually exclusive. Fenton heard during their DKIM Summit I in February that a barrier to adoption is the perception that DKIM is an unstable specification because the Internet Engineering Task Force (IETF) is working on it. "Except for experimental purposes, don't try to follow what the IETF is doing in terms of revisions to drafts for the time being."
The authors of DKIM have been working hard to get the IETF to take on the protocol. "DKIM is a different sort of authentication than the security area IETF is accustomed to," says Fenton. "We recognize the fact that message authentication systems, like DKIM, doesn't themselves solve the spam problem. There are some who would question the value of it? It is a bit more of an infrastructure value for now, until we can get to reputation and accreditation systems that are built on top of it. The way I like to express its value is that it is a little like having a peep hole on your door. You can use the peep hole as a tool to tell you something about who is there. It gives you input as to whether you should open the door."
Just this January an IETF working group was formed to evaluate DKIM as an Internet standard and the first meeting of the DomainKeys Identified Mail Working Group took place just prior to Messaging News going to press in March. "We are very happy that the IETF has recognized the value of DKIM and supported the formation of the working group. We want folks to use the draft-allman-dkim-base- 01 version of the specification now," says Fenton. "Once the IETF specification stabilizes, then it will be appropriate to move to the IETF stable version, but we want to make it one migration rather than three or four."
Adoption Happening Now
Regardless of the misconceptions and those slower to adopt, adoption of email authentication is happening. Director of Microsoft's Technology Care and Safety Group Craig Spiezle notes, "We continue to see adoption of Sender ID increasing across all fronts. Today over 35 percent of all legitimate email sent is now SIDF compliant-helping to protect over 2.5 million domains and 500 million inboxes from phishing and spoofing attacks. At MSN/Hotmail and in over 1,000 deployments of Microsoft Exchange Server 2003 and other third party solutions, we have realized improved spam detection and deliverability of legitimate email, while benefiting in a reduction of false positives."
To further support and enable broad adoption by companies and ISPs worldwide, Microsoft recently announced the Microsoft Sender ID Adoption Program. This program demonstrates broad industry collaboration, including over US$500,000 of market development funding, helping to support the industry in promoting the business value of authenticated email via SIDF. In addition, funds are being offered to support open source MTA implementations. The goal is to increase adoption and implementation for both senders and receivers-with the objective of improving online trust and confidence. More information on this program can be obtained by contacting: senderid@microsoft.com.
On the DKIM front, Fenton is optimistic about the near-term. "While we do not have specifics to mention just yet, we are encouraged by some of the private discussions we have had with a number of players and their plans for adopting DKIM. I expect that there will be some announcements of significant email domains that are using this technology in the late spring to summer time frame."
Moving Forward SKYLIST notes a few final myths: that authentication is high risk and that it will not change the return on investments (ROI) for email marketers. Baer believes that senders are not measuring their email closely enough to notice all the deliverability problems they currently have. Further, as ISPs begin to enforce authentication, senders will feel the pain in their campaign ROI, as they potentially lose access to 50 percent of their target inboxes. Baer also says many do not realize how easy and low risk it is to authenticate right now. In fact, it is becoming high risk not to authenticate. SJ/MNP
FOR YOUR REFERENCE
DomainKeys Identified Mail: www.dkim.org
Email Authentication: www.emailauthentication.org
Email Service Provider Coalition: www.espcoalition.org
Microsoft Sender ID: www.microsoft.com/mscorp/safety/default.mspx
Return Path: www.returnpath.com
SKYLIST: www.skylist.com