E-Mail: Who Goes There?

Authentication is the key to solving spam problem.

Sendmail—maker of the commercial version of the open-source sendmail—announced last month that it will support any widely supported authentication scheme in an effort to thwart the growing problem of spam and e-mail fraud. This includes Yahoos newly minted DomainKeys and Microsofts recently announced Caller ID for Email.

The authentication train is about to leave the station, and IT administrators should be buying a ticket to ride.

I think e-mail authentication is the best solution to stopping spam—at least until SMTP can be replaced with a new mail specification. That wont be for many years, at least, and its worth noting that most of the thinking about a new e-mail protocol revolves around baking in authentication.

Sendmail, Yahoo and Microsoft are among the biggest players in the e-mail industry. However, most anti-spam vendors predict that spam will grow to comprise nearly 60 to 80 percent of the total volume of e-mail by years end. Big players, meet a big problem.

The sheer scale of the spam problem and the market presence of Sendmail, Yahoo and Microsoft dictate that IT managers immediately evaluate the impact of the Sendmail announcement and begin to consider a strategic implementation of an e-mail authentication system that meets the Sendmail benchmark of "widely supported."

However, IT managers should keep their spam-filtering products in place because authentication doesnt say anything about message content, only that senders are who they say they are.

With authentication, content- and signature-based spam filters will be more capable of sorting unwanted mail from desirable mail. This will add further clarity to the e-mail communications channel. And when authentication of the sender is required before the senders message can access the recipients in-box, you can be sure the vast majority of spammers will end up looking for new work.

I have said many times in this space that technology schemes such as authentication will be much more effective than legislation such as CAN-SPAM at stopping unwanted e-mail. In fact, studies are showing that the CAN-SPAM Act, which took effect Jan. 1, has made little progress in stemming spam.

Spammers, and their wolf-in-direct-marketing-clothing counterparts, will be seriously challenged by authentication schemes because with authentication comes responsibility on the part of the e-mail sender and choice on the part of the e-mail recipient.

Fortunately, new services are available that promise to give authentication schemes real bite. For example, Brightmail, an anti-spam software maker and service provider, announced in January that it will use its global e-mail monitoring system to determine the amount of legitimate mail and spam coming from e-mail sources. The better the behavior (yes, as determined by Brightmail), the better the reputation of the sender and the better the reputation score used to grade e-mail coming into the Mail Exchanger server. As e-mail and anti-spam software products and services add "reputation features," companies and end users will get to determine the minimum score an e-mail must have to make it into in-boxes.

Even more important, authentication schemes will complement just about any anti-spam system, and that is the beauty of Sendmails proposal.

There are drawbacks to using authentication systems, including increased costs for maintaining DNS servers and for buying into authentication and trusted reputation systems. However, I think that the costs associated with sorting good e-mail from bad are going to make expenditures on authentication systems look trivial.

And users will experience an almost immeasurable increase in goodwill toward e-mail systems as they see the stream of junk cut off. With authentication, relevance and productivity will return to e-mail.

Senior Analyst Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.