Industry Looks into Cloudy Future for Authentication

ISPs, large enterprises and e-mail security companies are hoping that an industry meeting will breathe life into an effort to thwart spam and e-mail viruses.

ISPs, large enterprises and e-mail security companies are hoping that an industry meeting in New York this week will breathe life into a flagging effort to thwart spam and e-mail viruses through the adoption of e-mail sender authentication technology.

The Email Authentication Implementation Summit will call attention to a smorgasbord of technologies that have emerged in recent years. The summit has the backing of major messaging players, including Microsoft Corp. and Sendmail Inc., as well as the Direct Marketing Association.

But with data from Microsoft showing only modest adoption of e-mail sender authentication by enterprises in the past year and a confusing array of open and proprietary technologies to choose from, some e-mail experts say that the future of e-mail sender authentication is cloudy.

The meeting comes amid growing alarm within the business community about the corrosive effects of spam, phishing and e-mail-borne viruses, as well as consternation over the panoply of IP-based verification methods, including the open-source SPF (Sender Policy Framework), Microsoft-backed SIDF (Sender ID Framework) and signature-based approaches such as a joint Yahoo Inc. and Cisco Systems Inc. technology called DomainKeys Identified Mail.

/zimages/4/28571.gifYahoo and Cisco are teaming on e-mail authentication. Click here to read more.

SPF and SIDF make it harder to fake the origin of e-mail messages. DomainKeys allows e-mail senders to digitally sign messages so that recipients can verify the message content and origin.

Still, only about 25 percent of e-mail that makes it into in-boxes at the MSN Hotmail service comes from Internet domains that have published SPF records, said Craig Spiezle, director of industry relations and business strategy at Microsofts Safety Technology and Strategy Group, in Redmond, Wash.

"Is that a good number? I wish it was higher," Spiezle said.

Adoption of authentication technologies has been hampered by confusion over the competing authentication schemes from Microsoft, Yahoo and Cisco, as well as open-source alternatives such as SPF, experts agree.

"Theres been a considerable amount of confusion in the marketplace about standards, and that has led to some folks sitting on the sidelines," said Louis Mastria, vice president of communications at the DMA, a New York trade association that represents 5,200 marketers worldwide.

Despite the confusion among enterprises and even vendors, however, all involved parties agree that something must be done to cleanse e-mail traffic.

Authentication backers argue that many of the questions about different authentication technologies have been resolved in the past year: Microsoft combined SPF and its own technology, called Caller ID, to create SIDF, and Cisco and Yahoo said last month that they will combine their competing message-signing technologies.

With authentication standards congealing and phishing a growing threat, companies need to get off the fence and begin implementing authentication, backers say.

"This is not Betamax versus VHS," Mastria said. "These standards are all interoperable, and a technology like SPF is easy to implement. Theres no reason to sit on the sidelines and wait for some other development to happen."

Spiezle and others are hoping that presentations by Bank of America Corp., eBay Inc., News Corp. and other large companies on sender authentication implementations set an example for rank-and-file enterprises.

At Bank of America, administrators last year published SPF records for about a dozen domains from which the company sends e-mail. In the past two months, the company took another step: moving to a "soft fail" mode, wherein domain authentication data is used to inform heuristic filters that determine whether inbound e-mail is considered spam, said Erik Johnson, vice president and program manager of Bank of Americas E-mail Infrastructure and Secure Messaging group, in New York.

But Bank of America isnt ready to take "hard fail" actions based on e-mail sender authentication records.

"Its still too early in the game to know the impact [of SPF]," he said.

E-mail authentication milestones

Despite slow adoption by enterprises, the push to develop and implement e-mail sender authentication technology has continued unabated in recent months. Here are some recent milestones:

  • June 1: Yahoo and Cisco merge technical specs for DomainKeys and Identified Mail
  • June 22: Microsoft begins providing visible alerts to MSN Hotmail users when an e-mail they received cant be authenticated using SIDF
  • June 24: The Internet Engineering Steering Board approves SPF and SIDF as experimental standards

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.