E-mail authentication can help fight the spam crisis, but only a single, open standard will avoid confusion and crippling costs for small ISPs, a US government summit has heard.
The summit also questioned the security of the internet's domain name system (DNS), on which some leading e-mail authentication proposals are built.
Scott Chasin, chief technology officer of e-mail filtering company MX Logic, said holes in the DNS, which translates numeric addresses into readable internet domain names, could allow spammers to enter false authentication information.
Chasin supports efforts to create e-mail authentication but called for the widespread adoption of DNS Security Extensions, a security project that's been in the works for a decade and is now being approved by the IETF. "Authentication is not a cure-all for spam," said Chasin. "It is not a cure-all for phishing."
Participants in the summit, hosted by the Federal Trade Commission and the National Institute of Standards and Technology, were divided about laying down DNS rules to allow e-mail users to receive messages only from trusted senders.
Such authentication schemes would be based on a reputation system, similar to so-called white lists, in which e-mail from certain domains, such as Yahoo.com or IBM.com, would be cleared as legitimate e-mail. There could be multiple reputation systems run by multiple companies or organisations.
Elizabeth Bowles, president of ISP Aristotle.Net, raised concerns about at least six e-mail authentication proposals moving forward, including Microsoft's Sender ID and AOL's Sender Permitted From (SPF). She said that small ISPs couldn't afford to configure their e-mail to comply with a variety of authentication standards. The various proposals require ISPs and internet domain owners to publish different types of DNS records to comply with authentication standards.
"We can't have AOL implementing one system, and Microsoft implementing another, and everyone having to comply with a bunch of different standards," said Bowles. "It has to be unified."
She said that e-mail authentication standards had to be easy to implement and the solutions easy to tailor to an ISP's needs. "We can't have standards that would require us to basically get a licence for a piece of software that we couldn't subsequently modify or improve. If it is proprietary, at least it needs to be open, and it needs to be a flexible system."
Despite these concerns, others at the summit said e-mail authentication represented the best hope for senders who wanted to distinguish legitimate e-mail from spam.
Dawn Rivers Baker of the International Council of Online Professionals, a trade group for small online companies, said small net-based businesses were "getting slammed from all sides" because of spam and would welcome a way for their e-mail marketing campaigns to be tagged as legitimate e-mail.
Baker said that small businesses running marketing campaigns had to fight being labelled as spammers by customers who had forgotten they'd signed up for e-mail. Other members of the council have to deal with disgruntled customers who pay for a newsletter but have their ISP label it as spam and block it.
"We will jump through all of the hoops that you tell us to jump through," she said. "You want us to publish 57 records? You bet. You want us to encrypt? We'll do that too. You want us to tango? We'll tango."
Trevor Hughes of the Email Service Provider Coalition said that a recent study by e-mail services provider Return Path found that 18% of legitimate e-mail was blocked by the top 10 ISPs.
"For some companies that use e-mail marketing, that's a cost of doing business, but for an e-commerce site sending a shipping confirmation, or a telephone company sending a phone bill, those blocked e-mails are a problem," he said. "An e-mail authentication standard could solve some of those problems."
David Anderson, chief executive officer of Sendmail, estimated that the cost of establishing a good reputation in authentication schemes would be small. In most cases, he said, domains would establish reputations with each other, and individual e-mail users would not need to comply with multiple authentication schemes.
"It you are an established e-mail user, you will find it almost impossible not to establish a reputation," he said.
Grant Gross writes for IDG News Service