Keeping it real

Oct 01, 2005 9:30 PM  By

The Internet’s biggest mailbox providers, including Yahoo!, Microsoft, and AOL, are moving ahead with sender authentication solutions that will affect marketers’ ability to get e-mail delivered. As a result, marketers who choose to ignore authentication will soon find even their customer service e-mails ending up in consumers’ junk folders.

Microsoft, for example, is implementing a sender identification system under which MSN and Hotmail in November will begin to flag as potential spam incoming messages for which its servers can’t verify the senders’ return address information. Microsoft’s move increases pressure on e-mail senders to adopt its authentication solution of choice, Sender ID Framework — a way to check if an e-mail that claims to be coming from a certain Internet domain (, for example) really is being sent from servers associated with that domain.

Although consumer marketers with a significant number of Yahoo!, AOL, and Hotmail addresses in their database should be the most concerned with e-mail authentication, business-to-business mailers are not off the hook. Corporations are increasingly implementing their own authentication solutions to filter incoming e-mail.

Spam accounts for 60%-80% of all e-mail, depending upon whom one believes. Spam and phishing — in which fraudulent e-mail claiming to be from a reputable financial institution or Website urges recipients to click on a link and provide their account numbers and passwords — are costing mailbox providers increasingly more money to combat. Also, the ability to keep spam and fraudulent messages out of people’s inboxes has become a major selling point for Internet service providers.

Hence the ISPs’ determination to adopt sender authentication. “The only part of an e-mail that cannot be spoofed, meaning falsified by a spammer, is the server or IP address [a unique identifying string of numbers] it comes from,” says Chip House, vice president of privacy and deliverability for Indianapolis-based e-mail services provider ExactTarget.

A common spam tactic is to use an open mail server in, say, Russia to send e-mail, and then to falsify all the header and domain information — the part of the e-mail that purportedly identifies where the e-mail came from — so that it looks as if its coming from a legitimate merchant such as eBay. “With authentication, eBay can now say, ‘Here are all the IP addresses that are allowed to send e-mail for eBay, and if you see e-mail from an IP address that is not listed in my sender ID record, it isn’t me,’” says House.

E-mail authentication is also expected to soon give ISPs the ability to maintain a sort of scorecard on the servers sending them e-mail so that the providers can determine how likely the incoming e-mail is to be spam.

Authentication solutions

There are two general types of e-mail authentication solutions: IP based and cryptographic. Of the IP-based solutions, there are two. The first, Sender Policy Framework, or SPF, is reportedly the simpler. The other, Sender ID Framework, or SIDF, is Microsoft’s IP-based solution, and it incorporates SPF. Microsoft is checking incoming mail using SIDF but will reportedly let e-mail using SPF go into its users’ mailboxes unflagged. AOL supports SPF.

Yahoo!’s authentication technology is cryptographic. Until recently it was called DomainKeys, but as the result of a partnership with Cisco Systems, announced in July, it is now called DKIM (pronounced dee-kim). It is not clear when DKIM will be implemented. E-mail using a cryptographic solution carries an encoded signature that the receiver’s servers verify using so-called public and private keys. The good news about DKIM for busy marketing executives is that it requires programming and possibly extra equipment, so there isn’t much to do but talk to whoever maintains the company’s outbound e-mail solution and make sure implementation is under way.

SIDF has been criticized as an incomplete solution that Microsoft is trying to cram down the industry’s throat, but by the end of the year, “it will be a fact of life” for those who send e-mail to Hotmail and MSN accounts, says Joshua Baer, CEO of Austin, TX-based e-mail services provider Skylist and chairman of the York, ME-based E-mail Service Provider Coalition’s technology committee. Moreover, Baer says, Microsoft’s demands in this case aren’t unreasonable.

“Imagine that Microsoft runs a really important bridge that connects two cities,” Baer says. “Right now, they’ve got all these cars going back and forth. Everyone has their windows blacked out, and they don’t have any license plates. They’re saying, ‘Hey look, if you want to cross the bridge, you’re going to have to put a license plate on your car.’ It’s not some terrible thing. It’s the only way they’re going to make sure that bad things aren’t coming over the bridge. All they’re doing is asking for some basic identification.”

IP-based solutions require publishing an SPF text record for every domain that a company uses to send e-mail. The tools and instructions for creating SPF records are online at; those for creating SIDF records are at These records list IP addresses of machines authorized to send e-mail in an Internet registry called the Domain Name System (DNS). This enables mailbox providers to look up the IP address that sent the e-mail and make sure it is authorized to do so.

Creating a DNS record for an IP address is reportedly fairly simple. The first step for a sender to implement SPF or SIDF is to take an inventory of every domain in the company from which e-mail is sent. Depending on the size of the enterprise, this can be quite an undertaking. E-mail often gets sent from subdomains such as or from the domains of subsidiaries. Examples of areas to consider during a domain inventory are human resources, investor relations, advertising and PR agencies, customer support, newsletters, and order/delivery confirmation.

Step two to implementing an IP-based solution is creating the records. Step three is working with your IT group to get the records published in DNS.

Accreditation and reputation

Of course, the Internet’s e-mail porn and get-rich-quick hucksters stay on top of the Internet’s technological developments just as well as — and often better than — their nonspamming counterparts. And no doubt many of them will be implementing their own ways to work around the authentication systems.

As a result, mailbox providers will soon begin to implement so-called e-mail accreditation and reputation systems, in which characteristics such as the complaint and bounce rates of IP addresses will be monitored to help determine the likelihood that incoming mail is unwanted. Marketers who don’t keep their lists clean or who draw too many complaints from recipients will reportedly find more of their outbound e-mail messages blocked or shoved off into junk folders.

The message from e-mail box providers is clear: Just because a car has a license plate doesn’t mean the person behind the wheel is a responsible driver. Likewise, just because e-mail is authenticated doesn’t mean its sender is not a spammer. But most industry observers agree that authentication is a necessary first step for combating the Internet’s worst scam artists. And anything that slows or halts the spam traffic is a bonus for legitimate e-mailers.

Don’t know an IP from an ISP? A hard bounce from a soft bounce? Then visit our E-mail Glossary at

A competitive disadvantage

Within a year…if you’re not publishing some kind of sender authentication you’re going to be at a competitive disadvantage,” warned Erik Johnson, vice president, e-mail infrastructure and secure messaging for Bank of America, during a presentation at July’s E-Mail Authentication Summit in New York. “The companies that are doing it are going to see their e-mails being opened more often by their customers. They’re going to have a high degree of trust with their customers.”

Johnson said that implementing Microsoft’s Sender ID Framework (SIDF) at Bank of America took about six months. But the time was well spent, he said, because a financial institution such as Bank of America must make sure that customers know they can trust its e-mail.

“Our brand and domains are a major phishing target,” he said. “We have a major retail footprint. We have a huge credit-card footprint. We have brokerage services. We have private banking services, and we have wealth management services. All of these have an e-mail component, and the bad guys — the phishers — are just dying to get our customers’ user names, passwords, and account numbers so they can line their own pocketbooks.”

Johnson added that consumers’ fear of identity theft is already costing Bank of America money. Customers who won’t bank online turn to more-expensive channels, such as the telephone. Moreover, 20% of e-mail users won’t open e-mail from their financial institution, he said. Twenty-six percent of American consumers won’t use online financial products, and 14% of consumers who once banked online have stopped. “We want to get those people back,” said Johnson.