The Messaging Industry Responds to Growing Threats
By Stephanie Jordan
According to Sir Winston Churchill, "There is at least one thing worse than fighting with allies, and that is to fight without them." In this case, the battlefield is over the inbox. In early 2004 a group of business, industry and marketing leaders banded together to pursue solutions to authenticate email and improve user confidence. Putting rivalries aside, www.emailauthentication.org was established with the goal of improving trust and confidence in electronic messaging.
"There was a need in the industry for actionable and prescriptive advice," says Craig Spiezle, executive director of the newly named Authentication and Online Trust Alliance (AOTA) and the director of Microsoft technology care and safety. Since its inception that need has not diminished, but has instead amplified with recent escalating and evolving threats. "With today's spoofing, zero-day exploits and image spam-the need remains for actionable advice that can be immediately deployed to help both ISPs and corporations protect their employees and their domains. And on the other side of the spectrum, marketers are struggling with deliverability."
While industry conferences abound, they were not created to foster collaborative thinking among vendors and other stakeholders. By July of 2005 the ad hoc group created the first Email Authentication Summit. Held in New York City, and underwritten by over three dozen industry and business leaders, the summit attracted over 400 attendees. "We did not really know where it was going. But the event was sold out, the sponsorship opportunities were sold out, and we recognized that we needed to do more," recalls Spiezle. "We created a Website to provide vendor neutral information and decided to do another event. It was held in April of last year in Chicago." Once again the summit was sold out and overwhelmingly well received among a broad range of Fortune 500 companies, including financial institutions, eCommerce, travel, and healthcare.
Authentication Adoption
Industry experts mostly agree that email authentication, when coupled with reputation, will aid in determining how mail should be handled. The two E-mail Authentication Summits have helped spread the word, and clarify the technology protocols. Demonstrating industry support and adoption momentum, over a dozen MTA and anti-spam vendors are currently shipping SIDF integrated solutions with DKIM quickly emerging with enabled products. Results from leading ISPs including AOL, Gmail, Windows Live Mail (MSN Hotmail) along with commerce and banking sites show improved spam detection and enhanced sender reputation scoring- resulting in a reduction in falsepositive incidents among authenticated and legitimate email senders.
"We are approaching more than 40 percent of legitimate mail worldwide that is authenticated through Sender ID. And those levels are increasing. A year ago, 3 million domains were publishing Sender ID/ SPF records. Now we estimate closer to 7 million. The level of adoption has not only increased, but has outpaced the formation of new domains," notes Spiezle.
Why is the industry collaborating on a way to truly know the originator of an email? According to Spiezle, "Email is the tactic of choice for all online threats. Regardless if it is bots, zombies, viruses, zero-day exploits, or phishing-the first line of defense is email. We must do this together, as an industry. The second line of defense is blocking at the browser-level against deceptive urls, phishing websites and sites embedded with malware. The third line is to protect the PC. Regardless if it belongs to a consumer or a business, it must be hardened. If you miss anyone of these, then you are missing the multi-layer safety and security strategy."
Summit 2007
This multi-layer approach is the focus of this year's Authentication and Online Trust Summit to be held in Boston. In expectation of continued interest, summit organizers have doubled the amount of space and time (the 18th and 19th of April). through a collaborative effort with the 11 company AOTA steering committee, including IronPort Systems, MarkMonitor, Microsoft, RSA, Secure Computing, Symantec, among others three tracks in the afternoon, and upward of 30 sessions have been added. "We found the scope and breadth of issues is becoming broader," states Spiezle. "This year we expanded the depth and breadth of the summit to reflect the different types of businesses and their issues. There are sessions that are more tuned to marketers, others tuned for legal and policy, and still more for technology. We need a holistic strategy to solve these issues. It is not just about technology. It really takes the collaboration of all the stakeholders and requires prescriptive advice and working with legislation and public policy.
In addition, the 2007 summit agenda provides more time for businesses to talk with each other. The collaborative spirit is attracting a cross section of participants from high-volume email marketers, and industry executives, to international participants from Europe and South America. "Last year we talked about the concept of authentication, and the application of reputation data," concludes Spiezle. "This year we are able to see conclusive results of how applying known sender behavior (reputation) to the confirmed authentication of the sender, is able to provide a more predictive and accurate determination to deliver, junk. quarantine, or delete mail. And that, at the end of the day, it is all about improving trust and confidence in email and eCommerce." SJ/TMP