Beyond Can-Spam: E-mail Authentication

Nov 01, 2004 10:30 PM  By

If you send e-mails to your customers with any degree of regularity, be on your guard. In the months since the Can-Spam Act was enacted in January, the rules governing bulk e-mail have changed.

So far, though, Can-Spam has done little to reduce spam. In fact, according to Cupertino, CA-based spam filter manufacturer Symantec, spam now accounts for 65% of all e-mail, up from 58% in January. Other estimates put the portion of spam as high as 83% of all e-mail. And more spam means the greater the chances that fed-up recipients will ignore and delete legitimate, opt-in e-mail messages along with the bulk messages that clutter their e-mailboxes.

So throughout this year, there’s been an intensified focus on e-mail authentication, proposals of which have been bouncing around for more than six years.

With e-mail authorization, explains Stephen Guerra, director of deliverability and ISP relations for Atlanta-based Silverpop, a provider of permission-based e-mail marketing solutions, upon receiving an e-mail at its gateway, an ISP will look at the name of the sender on the “from” line, then “view the publicly accessible record for that sender to see if that sender is authorized to send that e-mail.” That entails searching for the sender’s name on the Domain Name System (DNS), a database available to the public that identifies the Internet protocol (IP) addresses of every domain name, to confirm that the sender’s domain name is the same as the domain from which the e-mail was sent. If there’s a discrepancy or if the sender doesn’t appear on the DNS, the ISP will further scrutinize the message and perhaps block it.

Matching the sender name and domain to the information on the DNS should enable ISPs to combat spoofing (the use of someone else’s domain name) and phishing (spam e-mails from forged domain names that request consumer data, such as credit or social security numbers).

The major ISPs have been trying to hammer out an industrywide platform for e-mail authentication standards. One contender is Microsoft’s Sender ID, which uses the Sender Policy Framework (SPF) Internet protocol reporting system and Microsoft’s own Caller ID for e-mail. Yahoo! has produced its own platform, dubbed DomainKeys. Whereas Sender ID relies on SPF codes in the DNS, DomainKeys involves matching a private key from the sender to a public key any user can obtain through the DNS.

The Internet Engineering Task Force (IETF), an Internet technical standards group, has been weighing both options. But on Sept. 14, the IETF rejected Microsoft’s Sender ID proposal because the group feared that Microsoft’s patent claims on the technology would make the standard difficult to adopt widely. The following day America Online said it wouldn’t support Sender ID either. Both the IETF and AOL say they will still consider the SPF portion of Sender ID, however, along with DomainKeys and an alternative plan for Sender ID that would sidestep the Microsoft patent issues.

Getting on the white list

As ISPs clamp down on spam, the best thing e-mail marketers can do, according to Michael Della Penna, chief marketing officer for New York-based e-mail service provider Bigfoot Interactive, is to register their IP addresses with the leading ISPs that offer white-listing programs. With white-listing, ISPs maintain a running record of customer complaints on e-mailers. And if the number of complaints remains low bracket — the thresholds vary among the ISPs — then the senders’ e-mails won’t be subjected to the ISPs’ spam filters.

According to several sources, as much as 17% of legitimate e-mails are accidentally blocked by ISPs spam filters. White-listing helps improve delivery rates of legitimate e-mail because spam blockers often stop legitimate e-mail along with spam.

Currently AOL and Yahoo! are the only ISPs that run their own white-listing programs. E-mailers can sign up for those white-listing programs for free by going to their Websites. Other major ISPs, including MSN and Hotmail, don’t have their own programs but accept the Bonded Sender program run by Iron Port Systems. E-mailers with low consumer complaint rates can turn over their mailings to Bonded Sender, which applies the digital equivalent of a seal of approval to the messages, enabling them to bypass the spam filters of participating ISPs. Bonded Sender charges an annual licensing fee ranging from $500 for 500,000 messages transmitted per month to $10,000 for unlimited transmissions.

Before you can be accepted into a white-listing program, though, you need to publish your SPF records in the DNS. According to Geoff Smith, director of e-business development for Stamford, CT-based Primedia Business, which publishes business magazines and e-newsletters (including Catalog Age,), this is a relatively simple process. First, have an information technology staffer reprogram your e-mail headers so that they include lines showing the path the messages took from the sender. That shouldn’t take him more than a half-hour, Smith says.

From there, you use an open source application call Bind to include the SPF records in the DNS, says George Bilbrey, general manager of delivery assurance for Return Path, a New York-based e-mail service. “You figure out which people in your organization control the IP addresses of the different kinds of e-mail you send out,” Bilbrey says. “Then you add each of them to the DNS records so that the ISPs know which IP addresses are permitted to send e-mails for you.”

“Right now, only AOL and Yahoo! are holding e-mailers accountable through its white-listing program,” says Ben Isaacson, privacy and compliance leader for the CheetahMail e-mail division of Costa Mesa, CA-based data provider Experian. But once an e-mail authentication program is in place and fully standardized by the IETF, then more white-listing programs by other ISPs will follow, he says. “Every ISP could be doing this soon as well.”

And when might an e-mail authentication standard finally be in place? Industry experts had been hoping that the ISPs and the IETF would reach a conclusion by the end of this year. Now it looks more likely that a combination of Sender ID and DomainKeys will likely become the standard next year, with more ISPs rolling out their own authentication programs and standards until then.

Spam Glossary

By now you know that spam is, plain and simple, unsolicited bulk e-mail. But do you know what phishing is? Spoofing? And what about tools to fight spam such as the Bayesian filter? Here’s a cheat sheet:

  • BAYESIAN FILTER: a technique that looks beyond subject lines and headers into the entire e-mail message to identify spam; Bayesian filter software refines its spam-identifying criteria the more it analyzes messages

  • DOMAINKEYS: a technology proposal by Internet service provider Yahoo! designed to give e-mail providers a mechanism for verifying both the domain of each e-mail sender and the integrity of the messages sent; once the domain can be verified, it can be compared to the domain used by the sender in the “from” field of the message to detect forgeries and help ward off spoofers and phishers

  • HIJACKING: sending an e-mail that, when the recipient opens the message or clicks on the attachment, unleashes a virus that infiltrates and “spoofs” the recipient’s e-mail address, allowing a spammer to actually use that computer to send more spam

  • PHISHING: the fraudulent solicitation for account information, such as credit-card numbers and passwords, by impersonating the domain and e-mail content of a company to which users have entrusted the storage of these data. The e-mail message will direct the recipient to a Website resembling that of the legitimate company; the site will include a form for the recipient to input his personal information, which the scammer can use for identity fraud

  • ROKSO: Register of Known Spam Operators, a list of spam operators that have been thrown off at least three ISPs (

  • Sender ID: a proposed authentication standard that is a merged proposal between the authors of SPF and Microsoft’s Caller ID

  • SENDER POLICY FRAMEWORK (SPF): allows mail servers to distinguish forgeries from “genuine” e-mail from a domain; works before the message body is transmitted, saving ISPs and other e-mail recipients the bandwidth cost of downloading the message and the cost of filtering it

  • SPOOFING: the forging of another person’s or company’s e-mail address to get users to trust and open a message

Sources: Direct Media Association,,