Authentic Confusion: Clarifying E-mail Authentication

Jun 01, 2007 9:30 PM  By

Get into a conversation of any length about e-mail authentication — for example, which solution or solutions to adopt and why there are more than one — and it quickly makes you want to find the nearest techie from Yahoo!, AOL, or Microsoft and start smacking him around.

For one thing, Internet service providers have seemingly forever been implying that one day they’ll begin blocking e-mail that is not authenticated according to their particular scheme. But that day has yet to come, and it’s hard to know when it is coming.

“We’ve done some talking with ISPs,” says Pat Kachura, senior vice president, ethics and consumer affairs for the Direct Marketing Association, “and at one point we were under the impression that e-mail would have to be authenticated to be accepted by an ISP, and we thought that it was going to be announced by all the major ISPs imminently, but that announcement never came. We do know that whether or not you’re authenticated appears to be a piece of the overall reputation of a marketing firm, but it’s not in and of itself predictive of whether your e-mail will be delivered or not.”

Confusing? Maybe. But the good news is that as marketers you apparently don’t have to know all that much about e-mail authentication to know enough. It’s simply a matter of having a strong enough grasp on the subject to speak to the folks in IT — sorry, there’s no avoiding them on this issue.

Why comply

E-mail authentication is designed to enable e-mail inbox providers to determine if incoming mail has truly been sent by the company from which it purports to be sent. Authentication also allows ISPs to track the reputations of sending machines and process their mail accordingly. If incoming e-mail is not authenticated or the sending IP address has a bad reputation, the inbox provider can block it or divert it into the user’s junk mail folder.

At the Authentication and Online Trust Alliance (AOTA) Summit in April, Microsoft offered an astonishing statistic: 90% of e-mail marketers have implemented its Sender ID authentication solution. The software giant also reported that in the previous year, it had witnessed a threefold increase in adoption of its Sender ID solution, to 8 million domains worldwide.

And while spam overall had increased 40% in the previous 12 months, unsolicited bulk e-mail into Hotmail accounts dropped by half, with Sender ID accounting for 8% of that drop, Microsoft reported.

According to the company, 43% of legitimate e-mail coming into Microsoft-provided accounts is Sender ID compliant — “legitimate” being defined as nonspam messages in surveys of 200,000 random Hotmail users each week. The figure indicates that all but the tiniest of e-mail marketers have implemented Sender ID.

“When you get to 48% or 49% [compliance], you start getting into,” Microsoft executive Peter Ollodart said during a panel discussion at the AOTA Summit.

One reason for such a high adoption rate is that both the DMA and the E-mail Sender and Provider Coalition (ESPC) require e-mail authentication for membership. “The ESPC will tell you their [compliance] number is closer to 100%,” says Craig Spiezle, director of online safety at Microsoft.

Microsoft’s Sender ID solution is only part of the picture. There are multiple other schemes, and the DMA does not require its members to adopt any particular one of them. “We just said that they had to be authenticated and that they had to be authenticated under one of the schemes,” says Kachura.

So far the results have been mixed, she adds: “We’re finding that a lot of people are authenticated, and a lot of people still need to be educated on how to get authenticated.” As a result, the DMA in April launched an online resource to help its members get up to speed on authentication ( “We are educating to bring everyone into compliance,” Kachura says.

It’s an extremely important task, and here’s why: During the past two years, the battle against spam has morphed into an all-out war between ISPs, who are trying to preserve e-mail as a communication channel for their subscriber base, and online criminals, who are forging companies’ brands to dupe consumers into handing over their financial information and hijacking people’s computers to spread so-called malware (viruses, worms, and other sorts of malicious software).

“We aren’t fighting the issue of spam as we’re used to defining it,” says Spiezle. “It’s not the unsolicited marketing mail; it is the deceptive mail, the malicious mail. It is the mail that has the phishing, the zombies, and the bots.”

More is more

Microsoft’s Sender ID scheme is one of three authentication standards you need to be aware of. Why isn’t there just one universal standard? The reason is reportedly quite simple: The giant egos at Microsoft, Yahoo!, and AOL, among others, simply cannot agree on a single standard with which to authenticate mail.

“You’ve got the biggest egos in the high-tech industry all saying they’re fixing the problem, and until all of them can say, ‘It’s not a me thing, it’s an us thing,’ we’re never going to get anywhere,” says one e-mail executive who asked not to be named.

Ready to start smacking some techies around yet?

Bottom line: There are multiple solutions. The other two authentication schemes you need to understand are Sender Policy Framework, or SPF, and DomainKeys.

SPF and Sender ID are Internet protocol-based solutions, meaning they verify that the IP address of incoming e-mail is from a server authorized to send e-mail on behalf of the company named in the e-mail’s return address. AOL uses SPF.

Yahoo!, EarthLink, Google, and Verizon, among others, use a cryptographic solution called DomainKeys. E-mail signed with DomainKeys carries an encoded signature that the receiver’s servers verify using public and private encryption keys.

Complicating things a bit more, however, Yahoo! announced a partnership with Cisco Systems in 2005 that resulted in DomainKeys Identified Mail, or DKIM, the final specifications for which should be released soon. Shifting from DomainKeys to DKIM (pronounced “dee-kim”) is not expected to be that big of a deal.

“One of the great idiosyncrasies of authentication is that… not all senders are signing with any or all of those [schemes] and not all receivers are looking for the same things,” says Rick Buck, director of privacy and ISP relations for e-Dialog, a Lexington, MA-based e-mail services provider. As a result, Buck recommends implementing Sender ID, SPF, and DomainKeys.

Modest benefits

Although most other experts recommend implementing all three schemes as well, the ISPs haven’t been especially effective at offering commercial e-mailers a benefit for doing so. Yahoo! displays a little key symbol in the top of messages using DomainKeys that the user can click on to find out what it means. Microsoft says that e-mail is more likely to get delivered when it arrives authenticated with Sender ID. These are not the massive benefits we usually like to see from technical upgrades.

But the consensus is that sooner or later authentication will reach critical mass and ISPs will begin blocking e-mail that isn’t signed. And for those who have yet to authenticate, critical-mass day will appear out of nowhere and be an extremely unpleasant surprise.

“Right now there are some modest benefits to be had from doing authentication right,” says George Bilbrey, general manager of the delivery assurance solutions unit for Return Path, an e-mail services provider with offices in New York and Superior, CO. “My belief is that over time, as the adoption rate of these [schemes] continues to grow, we’ll get to a point where if you’re not authenticating, it will really hurt your deliverability.”

Now it’s time to talk with IT

The first step for implementing e-mail authentication is taking an inventory of every domain in your company from which e-mail is sent. Depending on your company’s size, this can be quite an undertaking. E-mail often gets sent from subdomains such as or from the domains of subsidiaries. Examples of areas to consider during a domain inventory are human resources, investor relations, advertising and PR agencies, customer support, newsletters, and order/delivery confirmation.

Taking inventory of all your domain names is the most difficult part of e-mail authentication, “but it’s all downhill from there,” says Return Path’s Bilbrey. “The problem you’re trying to avoid is declaring in Sender ID or SPF that you’re signing everything but then you forget a mail server, and suddenly you’re having problems associated with that.”

Step two for IP-based solutions is creating a text record for each of these IP addresses from which your company sends e-mail. This is a fairly simply process. The tools and instructions for creating SPF records are online at; those for creating Sender ID records are at

Step three for Sender ID and SPF is to work with your IT group to get the records published in an Internet registry called the Domain Name System (DNS). This enables mailbox providers to look up the IP address that sent the e-mail and make sure it is authorized to do so.

DomainKeys requires you to create a public and private key pair for each record. Details on how to do this is available at

For more information