Trust in Email Begins with Authentication

Posted by J.D. Falk on

Unfortunately, forging From: or other commonly seen email headers is trivially easy. It’s one of the most frustrating oversights in the creation of internet email technology — though of course that’s only obvious in hindsight; it was just fine for the pre-internet networks of the late 1970s and early-mid 1980s.

Since then, things have changed — and the most interesting recent technological advancements in email have been in the realm of sender authentication, which encompasses ways to verify that the apparent sender of a message actually is the entity which sent it. Before you can answer the question “can I trust this message?,” you first have to ask “who sent it?” — but before authentication, there was often no way to know for sure.

The first authentication technology to catch the interest of the industry was Meng Wong‘s SPF, which also formed the basis for Microsoft’s SenderID. In parallel, Yahoo! developed DomainKeys, which has now evolved into DomainKeys Identified Mail, or DKIM. All of these are free to use, though some have licensing requirements or patents which may prevent derivative works.

Having what looks like four entirely different technologies may seem confusing, and marketing tactics from some of the organizations involved certainly haven’t helped. Luckily, our friends at the Messaging Anti-Abuse Working Group have published a new white paper, Trust in Email Begins with Authentication, which should help to clarify things. It provides a much-needed substantive overview of the authentication methods and practices currently in use, without inappropriate bias or attempts at coercion.

We hope that this effort will raise the level of debate within the email industry, and lead to faster adoption of authentication technologies. Sender authentication will not, obviously, solve spam — it has very little to do with spam, in fact — but curtailing the bad guys’ ability to send messages that look like they’re from your bank or other trusted institution will certainly help.

This article originally appeared on CAUCE.org in a slightly different form. Some CAUCE Board members — including the author of this article — contributed to the MAAWG document, and are regular attendees of MAAWG events.


Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About J.D. Falk

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.