Can Authentication Restore Trust in E-Mail?

Is identity theft on the rise, or is it a problem that has been vastly overhyped? Recent incidents of lost or stolen laptops have focused public attention on the huge amount of personal information that can very easily make its way outside the control of corporate IT. However, in spite of so many incidents involving hundreds of thousands of individuals, it is not clear that the lost or stolen information was actually used for gain.

Unfortunately, the flurry surrounding these laptop incidents has shifted focus away from a very real threat — the increasing severity of spam, deceptive e-mail and phishing exploits that truly are intended to garner personal information and use it for illicit purposes. It would be a real shame if people began to lower their guard when confronted with a phishing attack, in the mistaken belief that nothing bad would really happen if they were to disclose personal information, such as online banking username-password combinations, to the wrong entity.

Phishing and Forged Sender Names

Phishing is certainly not on the wane. According to the e-mail Sender & Provider Coalition, a group founded in 2003 to fight spam while protecting the delivery of legitimate e-mail, 95 percent of all phishing attacks come via e-mail with a forged sender name.

That e-mail will have a link to a fraudulent Web site where the unsuspecting user will be lured into entering sensitive information. It is not terribly difficult for an evildoer to masquerade as a legitimate business: deceptive domain registrations, look-alike domains, misspellings, domain squatting — some estimate that there are over 500,000 domains that have been registered solely for the purpose of sending deceptive e-mail.

The impact on individuals seems to be clear: According to a Gartner report in May 2005, phishing and online attacks are causing a dip in consumer confidence, and cost us almost a billion dollars over a 12-month period. Adoption and use of online bill paying, e-commerce and online banking are falling.

However, the impact to the organizations being spoofed is just as great. Not only is a great method of communicating with their customers — e-mail — being rendered ineffective, but their very brand is being attacked. They are placed squarely in the middle of a crisis in confidence in electronic messaging and e-commerce. It stands to reason that finding a solution will necessarily involve legitimate senders themselves.

Trustworthy Messaging

Much work has been done with regard to figuring out who really sent a message, and whether or not the party is worthy of our trust. Such trust is based on both the authentication and the reputation of the sender. The first step toward developing a system of trustworthy messaging is to confirm the identity of the real sender. There are several complementary standards in place today to do just that, known as “authenticated e-mail.”

This is not e-mail authentication, which requires an individual to provide proof of identity before sending or opening a message. Rather, it refers to confirming the actual domain from which the e-mail is being sent. That information, coupled with step two, building a good reputation for that domain, can lead to improved deliverability and differentiation.

The two front-runners are SIDF and DKIM. SIDF (Sender ID Framework) calls for the sender to publish acceptable message paths for the domain. The recipient then checks to make sure that the e-mail actually came from the domain. This is known as “path-based” authenticated e-mail, and while it sounds simple, it has not proven to be so. Large organizations with complex e-mail systems may find that publishing a list of acceptable paths is close to impossible. In addition, SIDF has problems with forwarding and multiple-hop messages.

DKIM (DomainKeys Identified Mail), on the other hand, is a signature-based approach developed by Yahoo and Cisco. DKIM actually secures the message itself. The sender inserts a digital cryptographic signature into e-mails for its domain. This approach is more complex than SDIF, but it has the advantage of supporting forwarding and surviving multiple hops, and is even extensible to individual addresses.

Who Adopts?

Naturally, marketers and volume senders with large amounts of transactional and corporate e-mail are early adopters, since they rely heavily on e-mail for their livelihood. Leading industry organizations, including the Direct Marketing Association (DMA) and the E-mail Sender and Provider Coalition (ESPC), require members and users to authenticate all outbound marketing e-mail. While estimates of actual adoption vary, statistics revealed at the Authentication Summit II held earlier this year showed that some 35 percent of e-mail sent today is Sender ID compliant, while 7-9 percent is signed by DomainKeys. Fortune 500 adoption has grown from 7 percent to 22 percent in one year.

However, according to Charles E. Stiles, Vice Co-Chair of MAAWG (Messaging Anti-Abuse Working Group), authenticated e-mail “is not limited to ISPs, businesses small or large; it is intended for anyone that is ready to stand behind the reputation their e-mail creates.” According to recent studies cited at the Authentication Summit II, a large number of mailers have already adopted one or both of the technologies to help receivers ascertain the true source of the e-mail.

There is some evidence that spammers have adopted authenticated e-mail as well. Last year, Denver-based MX Logic, an e-mail defense solutions provider, published the results of a research study showing that a significant percentage of the e-mail surveyed came from domains that had adopted authenticated e-mail techniques. Stiles is not surprised: “Most of the e-mail traversing the Internet today is spam, and the fact that a spammer would take advantage of an easily implemented technology for any incremental gain is to be expected.” However, he adds that “the good news is that any spammer that is authenticating their e-mail is publicizing the source of those messages, making it easier for illegitimate e-mail to be blocked.”

Benefits of Authenticated E-Mail

Fortunately, authenticated e-mail helps both senders and recipients. To the sender, the most important benefit is the improved deliverability of e-mail. If you send out a mass mailing and it doesn’t reach the intended recipients because it has been blocked as spam, you have wasted your money. Both false positives and false negatives work against legitimate senders of e-mail. E-mail that fails the test is junked or deleted, or a warning may be sent to the recipient, leaving the choice in his hands.

The average consumer benefits from authenticated e-mail when mailbox providers use the technology in conjunction with spam-fighting processes. These techniques increase the reliability of legitimate e-mail, and make the illegitimate e-mail easier to target and reject.

However, authentication alone does not guarantee good e-mail: The sender’s reputation may then be queried to find out whether the sender, now validated as being the true sender, is trustworthy. In fact, some schemes actually establish a “trustworthy score” that relies on cumulative information about a sender to determine whether its e-mail should be delivered or junked.

E-mail reputation services will be further discussed in a later article. For now, here is our advice to companies big and small that rely on e-mail as a method of communicating with customers, vendors and partners:

Three steps should be taken by an organization to improve its own e-mail trustworthiness, and to help safeguard its reputation:

• First, take steps to authenticate outbound mail. Publish an SPF record and begin signing with DomainKeys.
• Second, apply the same standards to any third parties who are sending on your behalf. Don’t forget that they represent you and can impact your trustworthiness score.
• Third, work with your ISPs and e-mail providers, asking them for detailed feedback on signature validation and failures. In general, encourage any e-mail provider to authenticate and give feedback on performance.