Is E-Mail Authentication Back on the Radar?
Is E-Mail Authentication Back on the Radar?
Just when Im done dismissing the potential for e-mail authentication to become an effective standard, evidence is presented to the contrary.
The E-mail Authentication Summit on April 19 wasnt even the highest-profile event at the hotel where it took place (Secretary of State Condoleezza Rice spoke to the Chicago Council on Foreign Relations there the same day). The 2005 Summit got a lot more ink.
But according to the Email Sender and Provider Coalition (I think this used to be the Email Service Provider Coalition), adoption has been moving along at an aggressive pace.
Much more of the total body of Internet E-mail comes from organizations supporting one of the two main authentication standards than you might think. Support by large senders is why.
Dont get me wrong, I really want to believe this, but Im suspicious. My guess right now is that their basic point is right, but that its not as far along as they want their numbers to imply.
The basic point is that adoption of SIDF (Sender ID Framework) and DKIM (DomainKeys Identified Mail) has moved along aggressively in the last year among large players, to the point where everyone else has to start dealing with it.
Theyre trying to portray an image of momentum that e-mail players have to start moving along with authentication because theyll be left behind if they dont.
Consider this claim: "AOL, Microsoft and Yahoo, whose combined e-mail accounts receive over 50 percent of the commercial e-mail in the country, support at least one of the current authentication standards."
Many other large senders of e-mail, the ones with the biggest interest in authentication succeeding (Citibank for example), are adopting it. DKIM support in all Internet mail is up from nothing to 9 percent inside of a year, and SIDF is up to 35 percent.
But adoption is a complex task. A cursory look at the SIDF and DKIM standards would give you the impression that its just a matter of making some DNS changes and maybe upgrading your mail servers to support some new tools, but for a large organization it can be quite complex.
You have to have clear control over all the outbound mail sources for your organization, including those belonging to outside service providers.
You have to establish procedures that must be followed whenever DNS or mail server changes are made.
As a result, many of the organizations that are said to be in compliance are only partly so.
For example, they may not have all their subsidiary organizations in compliance, they may not have worked out all the details with outside service providers (although the legitimate ones are enthusiastic supporters of authentication).
Next Page: The inbound/outbound issue.
And theres also the inbound/outbound issue: Its one thing to create the DNS entries that allow others to authenticate mail purportedly send by you, even to sign e-mail using DKIM.
Its another to authenticate incoming mail, and bolder still to reject mail that doesnt authenticate. If you look at the ESP Coalitions report on the big providers, here in PDF form, youll see most of those verifying incoming mail are actually doing so against the relatively useless SPF standard.
If youre a big organization, you probably know how your own people have been handling e-mail authentication. If youre a small one, you probably havent felt any pressure to do so; perhaps your support will come through outsourcing.
In the short term, it looks like phishing, not spam, will be the test by which e-mail authentication may be judged.
Before too long, it may be that all the large organizations subject to phishing attacks (eBay, the big banks and brokerages, etc.) will be able to claim full compliance with outbound authentication.
Such domains have obviously high reputations, so any ISP or other receiving server that authenticates them should be able to block all phishing e-mails that purport to be from genuine domains belonging to the sender.
There are ways around this, such as sending the message from firstname.lastname@example.org (owned by one "Omar B. Bahar" in Springfield, Ill.) rather than from citibank.com. Its still a step forward, and widespread reliance on reputation services should fill the gaps.
Before I lost faith a year or two ago, I thought things would work out this way, that business would jump on authentication and force the rest of us to comply.
I still think theres a long road ahead before real organizations can start actually to dump unauthenticated e-mail, but it could happen, and it would be a good thing.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at email@example.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.