Danger: Authenticating e-mail can break it

The spam-fighting technique is valuable, but implementing it incorrectly could damage a company's e-mail system.

CHICAGO--The promise of e-mail authentication is too good to ignore, but if it is implemented incorrectly it will break a company's mail system instead of fixing it, experts have cautioned.

"Deploy smart. Don't just do it," Erik Johnson, a secure messaging executive at Bank of America, said in a presentation at the Authentication Summit here Wednesday. "If you just do it, you may just break it."

For the past two years, the technology industry has been advocating the use of systems to guarantee the identity of e-mail senders. It sees such authentication as key to the fight against spam and phishing, as it should help improve mail filters and make it harder for senders to forge their addresses. The industry also likes to advertise that these systems have practically no cost.

Organizations have been buying into the promise of restoring trust in e-mail. The number of Fortune 500 companies that sent authenticated mail has increased, from 7 percent in July last year to 20 percent at the end of March 2006, according to Microsoft. The software giant is the main backer of a caller ID-like system for e-mail called Sender ID.

"Setting aside rewriting SMTP, e-mail authentication is the best thing we have today," Johnson said, referring to the Simple Mail Transfer Protocol, the basic technology behind e-mail. Yet adopting sender authentication and managing it is not simple, he said. It took Bank of America six months to deploy the technology.

E-mail ID cheat sheet
Here's the lowdown on the main technologies that are out to clean up e-mail by identifying the source.

Sender ID
Brings together two previous security technologies: Caller ID for E-mail, introduced by Microsoft in February 2004, and SPF, developed by Meng Wong. Sender ID compliant e-mail requires an SPF tag in a Domain Name System record to identify valid machines sending mail from that domain.

Short for Sender Policy Framework. Both main versions of SPF records comply with Sender ID, but they verify a different "from" address. SPF 1 validates the sender data contained in the e-mail envelope data, which is typically only read by e-mail systems. SPF 2 verifies the "from" name displayed to the user. Industry experts advise companies to publish and use both.

Merges Yahoo's DomainKeys with Cisco Systems' Internet Identified Mail. DKIM, or DomainKeys Identified Mail, relies on public key cryptography. It attaches a digital signature to outgoing e-mail so recipients can verify that the message comes from its claimed source.

"It really is not easy to deploy sender authentication right. If you are in a large organization, you really can't just push the easy button," Johnson said. "This requires pretty much constant attention and activity...or else it will break and it will hurt you."

There are two main ways of authenticating e-mail: Sender ID and DomainKeys Identified Mail, or DKIM. Backed by Yahoo and Cisco Systems, DKIM relies on public key cryptography. It attaches a digital signature to outgoing e-mail, so recipients can verify that the message comes from its claimed source.

Sender ID is further along in adoption than DKIM. It requires Internet service providers, companies and other Internet domain holders to publish SPF (Sender Policy Framework) records to identify their mail servers. This usually does not require new hardware or software; the most arduous part is doing an inventory of mail servers and the subsequent maintenance of that record.

"The story is that (this type of sender authentication) is cheap to do. That is not true," said David Crocker, the principal at Brandenburg InternetWorking and author of one of the early e-mail standards. "The ongoing IT cost is huge."

The key problem for large companies is figuring out all the systems that send e-mail on their behalf, said Paul Judge, chief technology officer at e-mail security company CipherTrust. "If you are a large multinational organization, you may have e-mail gateways in 10 countries, you may have marketing companies that send e-mail on your behalf," he said.

Featured Video