Email Authentication Confusion
July 28, 2005 | In: Technology
I see a lot of confusion surrounding the intent of email sender authentication technologies.
Sender ID, SPF, and DomainKeys (now DKIM) will not stop spam. Period. They’re designed to authorize the identity of the email sender. Period.
One camp says that using these technologies will help stop spam. Yes, they’re actually right. An email message with a spoofed address can be blocked. What happens when spammers start to use these same technologies to send their email? The other side of this argument will say that the purpose is defeated if spammers can use it, but this is to be expected. This is nothing more than short-term thinking on both sides of the fence.
Before I talk about long-term results, I first want to discuss short-term consequences of using sender authentication. A result of knowing the indentity of the sender is that more power is in the hands of administrators and users. Spammers will be forced to use legitimate email addresses, so knowing this information allows one to easily block email which he or she doesn’t want to receive. This helps stop spam before it reaches the expensive content filter, which will result in a cost savings.
The ability to put a stop to phishing scams and other fraudulent emails is probably the biggest benefit of authentication technology. All of those PayPal and eBay messages, for example, telling you to update your account information can be a thing of the past, but only as long as targetted companies participate in one or all of the potential standards.
The long-term goal here is to establish a robust email infrastructure on the Internet where users only receive the email they want. We know that spammers will use real email addresses that will pass authenticaton tests. This is where reputation services will become important. A mail server will be able to take the domain of the sender and check it against a database. Based on the reputation returned by the service, the mail server can accept, block, or tag the email as spam. A sender’s reputation can be based on anything, but most likely will be determined by the amount of complaints received by the reputation service itself.
While I consider reputation services to be the next step in the evolution of spam fighting, I do think that we’re a long ways away from that goal. In the meantime, server administrators will probably employ a combination of technologies, with various layers of content checks and the such.
Handling email is going to be a lot more complicated before it gets simpler.
