Welcome Guest. | | | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Can Authentication Make The E-mail Highway Safe?


Industry agreement on authentication standards will significantly improve the security of e-mail communications if . . .

By Anne Bonaparte, MailFrontier
Messaging Pipeline
August 24, 2005 12:50 AM

Silicon Valley has been a battleground for technology standards throughout its history of fostering innovation. It’s just inevitable if you consider the drivers of a competitive market.

However, lack of standards resolution can leave end users at a disadvantage. Just look at the multiple memory card formats used to store digital camera images -- users are hindered by competing formats that can only work with certain devices.

Today's standards battle is brewing in the world of e-mail authentication, a process which seeks to authenticate the sender of a message and help filter out e-mail threats. Industry agreement on authentication standards will significantly improve the security of e-mail communications if the following conditions are met:

  1. The “gorillas” in the market put personal agendas aside, and then come together and agree on standards.
  2. E-mail vendors upgrade their offerings to authenticate and leverage authentication in evaluating e-mails.
  3. E-mail administrators ensure that their outbound e-mail is authenticated and test for authentication on inbound e-mail.

E-Mail Authentication Standards: It’s Like Seatbelts And Airbags

Significant progress has already been achieved as Microsoft Caller ID and Meng Weng Wong’s Sender Policy Framework (SPF) came together under the umbrella of the Sender ID Framework. At the same time Yahoo! Domain Keys joined together with Cisco Systems and its Internet Identified Mail to become DomainKeys Identified Mail (DKIM). However, this has left us with two leading authentication methods vying for dominance.

Now it is time for those loyal to Sender ID and DKIM to put their personal agendas aside and move forward to embrace these standards. Let’s get over the standards debate and celebrate a resolution. It is time that the Microsoft camp gets behind DKIM and integrates it with Hotmail. It is time for Yahoo! to get behind Sender ID and integrate it with Yahoo! Mail. Each authentication standard alone is solid, but together they provide a much stronger safety net.

The current debate is akin to seatbelts and airbags -- you certainly wouldn’t get in a car without either of them and using both provides the best passenger safety available. The auto industry started with seatbelts, or in the case of e-mail authentication, Sender ID, but there were still some “holes” or potential for danger. The auto industry added airbags, and in the case of e-mail authentication, DKIM entered the game.

While Sender ID has greater adoption momentum it still must be much more widespread to have a significant impact. Rapid adoption of both standards must happen as the first step toward improving e-mail security.

Authentication Alone Does Not Provide E-Mail Security -- Reputation Must Be A Factor

Unfortunately, even with worldwide adoption of both e-mail authentication standards, e-mail will still be vulnerable.Sender ID validates that the e-mail actually arrived from the domain it claims. DomainKeys Identified Mail validates the domain as well, and makes sure the content is unchanged during transit.

Both are effective, in different ways, at ensuring the e-mail was sent from where it states. However, neither provides any indication of whether that sender is “good” or “bad”…wanted or unwanted.

Once an e-mail is authenticated, a determination must be made of whether that e-mail is wanted. A popular method is to check the domain against a reputation service. This is a step in the right direction, whereby a system can say that all e-mail from "spammersite.com" is unlikely to be wanted whereas e-mail arriving from "goodcompany.com" is likely to be wanted.

Even This Combination Does Not Keep E-mail Safe

But, while reputation services are necessary they are not sufficient. Reputation services today only make decisions on a domain level. In cases where domains send a combination of good and bad messages, reputation services cannot help. Unfortunately, this mixed quality situation is common.

Most users of Internet Service Provider message systems send legitimate e-mail, but it is difficult for an ISP to ensure there is not a single abuser of the system on their network. And companies and other organizations will typically have good senders within their networks, but due to virus and zombie infections, they may have some users that unknowingly send out spam or virus e-mails.

A Safe Road Ahead Is Still Possible

To ensure our e-mail highway is safe, the full lifecycle of an e-mail attack must be monitored and that information leveraged with authenticated e-mail. An end-to-end e-mail attack monitoring system evaluates not just the sender, but also messages, recipient feedback, and the location a message is taking the user to, among other data. Comprehensive data monitoring is imperative to deliver a robust protection system -- the last piece of the puzzle.

It sounds like a steep hill, but we’ve already come a long way. What needs to be done now is simple:

  • Microsoft and Yahoo! must come together to promote the quick and broad adoption of both Sender ID and DKIM authentication standards.

  • Vendors must provide systems that can evaluate authenticated e-mail coming inbound.

  • Businesses must list their Sender ID records, look toward stamping messages with DKIM so that adoption is widespread, and evaluate inbound messages.
With these actions, e-mail users should expect a safe road ahead.
Anne Bonaparte is president and CEO of MailFrontier, a Silicon Valley company that creates and manufactures messaging security software and hardware solutions.




Advertisement

CAREER CENTER
Ready to take that job and shove it?




SEARCH
Function:

Keyword(s):

State:


  • Browse By:
    |
SPONSOR
RECENT JOB POSTINGS
Featured Jobs:

For more great jobs, career-related news, features and services, please visit our .

CAREER NEWS
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.






Subscription Info
Apply for a free 52-week subscription to InformationWeek (a $199 value)

Last Name:

First Name:

Title:

Company Name:

City:

Business Address:

Zip:

State:

Email Address:

NOTE: Offer valid for U.S., U.S. possessions, & Canada only