E-mail authentication can help fight the growing spam e-mail problem, but vendors need to come up with a single, open standard to avoid confusion and crippling costs for small ISPs, participants in a U.S. government summit said this week.
The security of the DNS (the Internet's Domain Name System), on which some leading e-mail authentication proposals are built, was also called into question at the conference, hosted by the U.S. Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST). Holes in the DNS, which translates numeric addresses into readable Internet domain names, could allow spammers to enter false authentication information, says Scott Chasin, chief technology officer of MX Logic, an e-mail filtering company.
"I believe the fragile nature of DNS will affect those trying to thwart e-mail authentication schemes," Chasin said.
MX Logic supports efforts to create e-mail authentication, but Chasin also called for the widespread adoption of DNS Security Extensions (DNSSEC), a security project that's been in the works for a decade, and is now being approved by the Internet Engineering Task Force (IETF). "[Authentication] is not a cure-all for spam," he added in an interview. "It is not a cure-all for phishing."
Participants in the summit seemed divided about the potential of e-mail authentication that would establish DNS rules to allow e-mail recipients to receive e-mail only from trusted senders. Such authentication schemes would be based on a reputation system, similar to so-called whitelists, in which e-mail from certain domains, such as Yahoo.com or IBM.com, would be cleared as legitimate e-mail. There could be multiple reputation systems run by multiple companies or organizations.
Elizabeth Bowles, president of the 40,000-subscriber ISP Aristotle.Net, raised concerns about at least six e-mail authentication proposals moving forward, including Sender ID, advanced by Microsoft, and Sender Permitted From (SPF), being used by America Online.
Small ISPs can't afford to configure their e-mail to comply with a variety of authentication standards, she said. Bowles and others who had concerns about e-mail authentication noted that various proposals require ISPs and Internet domain owners to publish different types of DNS records to comply with authentication standards.
"We can't have AOL implementing one system, and Microsoft implementing another, and everyone having to comply with a bunch of different standards," said Bowles, whose company is based in Little Rock, Arkansas. "It has to be unified."
E-mail authentication standards should be easy to implement and the solutions should be easy to tailor to an ISP's needs, she added. "I don't think it can have a part of it that's proprietary, that would require us to basically get a license for a piece of software that we couldn't subsequently modify or improve," she said. "If it is proprietary, at least it needs to be open, and it needs to be a flexible system."
The Best Hope?
Despite these concerns, others at the summit say e-mail authentication represents the best hope for senders who want to distinguish their e-mail from spam.
Small Internet-based businesses are "getting slammed from all sides" because of spam, and members of the International Council of Online Professionals, a trade group for small online businesses, would welcome a way for their e-mail marketing campaigns to be tagged as legitimate e-mail, said Dawn Rivers Baker, a founding member of the council.
Small businesses engaging in marketing campaigns have to fight being labeled as spammers by customers who have forgotten they signed up for the e-mail, Rivers Baker said. Other members of the council have to deal with disgruntled customers who have paid for a newsletter, but had that newsletter labeled as spam and blocked by an ISP.
"We will jump through all of the hoops that you tell us to jump through," she said. "You want us to publish 57 records, you bet. You want us to encrypt, we will do that, too. You want us to tango, we will tango."
A recent study conducted by Return Path, an e-mail services provider, found that 18 percent of legitimate e-mail was blocked by the top 10 ISPs, said J. Trevor Hughes, executive director of the E-mail Service Provider Coalition, which represents 52 companies. For some companies that use e-mail marketing, that's a cost of doing business, but for an e-commerce site sending a shipping confirmation, or a telephone company sending a phone bill, those blocked e-mails are a problem, Hughes said. An e-mail authentication standard could solve some of those problems, he said.
Many of the concerns voiced at in the FTC summit will be easily addressed, said David Anderson, chief executive officer of Sendmail, which supports Microsoft's Sender ID e-mail authentication initiative. Anderson estimated that the cost of establishing a good reputation in authentication schemes will be small. In most cases, domains will establish reputations with each other, and individual e-mail users will not need to comply with multiple authentication schemes, he said.
"It you are an established [e-mail] user, you will find it almost impossible not to establish a reputation," he said.