/Outbound Issue"> And theres also the inbound/outbound issue: Its one thing to create the DNS entries that allow others to authenticate mail purportedly send by you, even to sign e-mail using DKIM. Its another to authenticate incoming mail, and bolder still to reject mail that doesnt authenticate. If you look at the ESP Coalitions report on the big providers, here in PDF form, youll see most of those verifying incoming mail are actually doing so against the relatively useless SPF standard.In the short term, it looks like phishing, not spam, will be the test by which e-mail authentication may be judged. Before too long, it may be that all the large organizations subject to phishing attacks (eBay, the big banks and brokerages, etc.) will be able to claim full compliance with outbound authentication. Such domains have obviously high reputations, so any ISP or other receiving server that authenticates them should be able to block all phishing e-mails that purport to be from genuine domains belonging to the sender. There are ways around this, such as sending the message from firstname.lastname@example.org (owned by one "Omar B. Bahar" in Springfield, Ill.) rather than from citibank.com. Its still a step forward, and widespread reliance on reputation services should fill the gaps. Before I lost faith a year or two ago, I thought things would work out this way, that business would jump on authentication and force the rest of us to comply. I still think theres a long road ahead before real organizations can start actually to dump unauthenticated e-mail, but it could happen, and it would be a good thing. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at email@example.com. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
If youre a big organization, you probably know how your own people have been handling e-mail authentication. If youre a small one, you probably havent felt any pressure to do so; perhaps your support will come through outsourcing.