Efforts to put an end to e-mail phishing scams are working, thanks to the development of e-mail authentication standards, according to a pair of Google security researchers.
Internet industry and standards groups have been working since 2004 to get e-mail providers to use authentication to put a halt to e-mail address impersonation. The challenge was both in creating the standards that the e-mail's sending and receiving domains would use, and getting domains to use them.
Elie Bursztein, Google's anti-abuse research lead, and Vijay Eranti, Gmail's anti-abuse technical lead, wrote that these standards -- called DomainKey Identified Email (DKIM) and Sender Policy Framework (SPF) -- are now in widespread use.
"91.4 percent of nonspam e-mails sent to Gmail users come from authenticated senders," they said. By ensuring that the e-mail has been authenticated, the standards have made it easier to block the billions of annual spam and phishing attempts.
While social media gets all the buzz, the statistics they shared tell the story of the enormous use of e-mail and the challenges in preventing e-mail address fraud.
More than 3.5 million domains that are active on a weekly basis use the SPF standard when sending e-mail via SMTP servers, which accounts for 89.1 percent of e-mail sent to Gmail.
More than half a million e-mail sending and receiving domains that are active weekly adopted the DKIM standards, which accounts for 76.9 percent of e-mails received by Gmail.
Another 74.7 percent of all incoming e-mail to Gmail accounts is authenticated using both DKIM and SPF standards, and more than 80,000 domains use e-mail policies that allow Google to use the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard to reject "hundreds of millions" of unauthenticated e-mails per week.
The pair cautioned domain owners to make sure that their DKIM cryptographic keys were 1024 bits, as opposed to the weaker 512-bit keys. They added that owners of domains that never send e-mail should use DMARC to create a policy that identifies the domain as a "non-sender."
Questions about the origins of the unsecured e-mails were not immediately returned by Google.