Unsolicited email now represents approximately 80% of all Internet mail traffic and continues to grow. Attempts to control
spam are frustrated by the lack of a robust method of authenticating the sender. Laws are of little value if you cannot find the criminal. Company policies on acceptance of
email are impotent when it is so easy to forge the mail headers.
Strenuous efforts have been made over the last year to introduce reliable authentication mechanisms without disruption to the mail system, of which
two - Sender-ID and Domain Keys - are now being deployed.
The objective of this session was to provide practical guidance on when and how enterprises should adopt these two technologies and how to take advantage of them to get
spam under control.
Dave Anderson, President and CEO of Sendmail Inc., kicked off the day with his view of the big picture of how
authentication fits in to the whole email ecosystem. His upbeat presentation predicted that the recipient will ultimately gain control of their
email system and that getting on an individual's "allow list" will be a key element in communication, particularly for marketing organizations.
Jon Callas, Chief Technology Officer and Chief Security Officer for Sendmail Inc., addressed the
question: "Will email authentication stop phishing?". His conclusion is that it will change the nature of
phishing, but crime predated email and is likely to find a new "vector" if the existing mechanisms are blocked.
Craig Spiezle, Director, Safety Technology Group, Microsoft
Corporation, described the Sender-ID Framework mechanism for sender
authentication. This was implemented live in Hotmail on January 1st and there is already evidence of improved performance of
spam blocking (fewer false positives and fewer spam messaging getting through).
Jon Callas then talked about the status of cryptography-based approaches to authentication. Two competing proposals
- Domain Keys and Internet Identified Mail - are now being merged. Both approaches are already being used with positive results.
Ken Schneider, Chief Architect, Network and Gateway Security, Symantec, talked about the role of authentication in a multi-layer approach to
spam filtering and in brand protection by making it easier to prevent
phishing.
Des Cahill, CEO of Habeas Inc., discussed the value of linking authentication of accreditation and reputation services. In conclusion he identified the need for a "mid-level" automated accreditation process for small to medium companies and for concerted industry action to generate a "network effort" for authentication.
The final session of the day was a panel session involving all of the speakers addressing the question: "What does it mean to me?". This session, which is available as part of the conference proceedings (see below), came to the following conclusions:
- Companies should create an SPF record defining the systems that they use to send
email now. The cost is low, the risk is low, and there is an immediate reduction in the amount of bounced mail arising from mail sent from imposters.
- Companies should consider upgrading their Message Transfer Agents to check SPF records "soon". The major vendors have software just about ready to ship.
- It is probably worth holding off on implementation of cryptography-based approaches until the merging of the DK and IIM specifications is complete.
- Companies should start to worry about their email reputation now, making sure that policies are in place to prevent events that would generate a negative reputation, such as an ill-managed direct marketing campaign.