The booming trade inand the looming threat of , in the form of spoofing and , have seriously dented our confidence in e-mail. Despite a multimillion-dollar industry surrounding , and several attempts to banish the problem with regulation, spammers and fraudsters continue to stay one step ahead.
The problem is that SMTP, or Simple Mail Transfer Protocol, the protocol designed to move e-mails from server to server, is still a system based on trust. Anyone submitting a message can claim to be anyone else, with little or no accountability.
The industry has willingly thrown its weight behind the concept--companies that would normally consider themselves competitors have united behind specific standards and technologies. The Internet Engineering Task Force worked diligently, collaborating with companies on authentication technologies, and its efforts were critical to the evolution of e-mail authentication, even though it was unable to develop a single standard.
The government has also recognized the importance. The Federal Trade Commission and the National Institute of Standards and Technology hosted the Email Authentication Summit recently at which industry leaders met to discuss what progress had been made to date, as well as the future of authentication.
Despite this support, the question remains: How do we take the theory of e-mail authentication and put it into practice? What do the actual legitimate senders and receivers of e-mail need to do to ensure they're prepared and protected? It's now up to individual businesses to do their part, but what do they need to do?
Today there are two widely known technologies that have serious supporters., or SIDF, is an IP-based solution that combines Microsoft's Caller ID for e-mail proposal and Meng Wong's Sender Policy Framework, or SPF. , a signature-based approach supported by Yahoo, and Identified Internet Mail, another signature approach by Cisco Systems, both require software to be implemented by the sender and receiver to verify the integrity of the message.
Signature approaches are considered to be longer-term solutions for robust e-mail systems, while SIDF is easier to deploy for simple implementations. A team of top e-mail industry players is working with both Cisco and Yahoo to develop a single signature specification. That implementation should be available to the IETF for standardization by the second half of 2005.
As recommended by 34 industry leaders in a recent letter to the FTC, e-mail authentication initiatives should be rolled out in two phases. This two-step strategy incorporates, first, IP-based approaches and then signature-based approaches. Organizations should adopt SIDF today and then, as signature-based solutions mature, deploy them as well. The two schemes complement each other in the long term, resulting in a robust solution to address the range of platforms, user environments and deployment requirements worldwide.
These results alone should be enough to convince us that we're approaching the end of e-mail as we know it. The schemes are critical pieces of the technology that should be adopted by any site or company that depends on the reliable delivery of their outbound e-mail or the protection of their brand and domain name. They should also be used by other receivers that wish to be able to prove the identity of mail senders, as well as provide a safer and more reliable way to accept inbound messages beyond traditional mail content filtering.
Every receiving site will have to decide for itself which sender authentication approaches to take and what requirements to place on incoming mail in order to best suit its needs. But companies should also expect their customers, partners and suppliers to use a variety of schemes, or risk being unable to exchange messages with whole segments of their supply chain. The "industry" can only support e-mail authentication--it's now up to individual businesses to make it happen.