Email Authentication Part One: Introduction

Posted by bkloss | Email Deliverabilty | Friday 22 February 2008 9:44 pm

A common misconception exists about email deliverability. When asked why an email is blocked or junked, many people will respond that the content of the email was considered spammy. Although spam filters do block and bulk email, for content that uses words common to spam, email authentication factors into an ISPs decision to deliver mail. ZDNet defines email authentication as:

“The verification that an e-mail message has been sent by the domain name in the From field. Called “domain spoofing,” spammers falsify the From address in their messages in order not to be identified. SPF Classic, Sender ID and DomainKeys are authentication methods that are expected to proliferate. They all rely on DNS records, either to obtain sending mail server addresses or public keys for decrypting a digital signature. See Sender ID, DomainKeys and SPF.”

Confused yet?

Good: In this series of posts, I will explain the need for and rise of the three most prolific path authentication strategies (SFP, Sender ID and DomainKeys). This post provides a brief introduction to email path authentication. I will provide a general outline that will guide you in your implementation of each sender authentication method and give links that will further your efforts.

Spam: the impetus for email authentication

To understand the need for email authentication you have to consider the state of email today. Sources vary, but it is safe to assume that between 50% to 90% of all email messages are considered spam by some source. A study from MAWWG in 2005 estimated that between 80 and 85% of all mail is considered Spam. In response, email clients like Gmail and Outlook have developed systems that will filter out the spam so people’s in-boxes are not flooded with the newest offer for Viagra :)

The initial attempt to hinder the efforts of spammers utilized filters. Spam filters set relative weights to “spammy” content. If a messages weight breaches a predetermined threshold, it is considered spam. Ah, here’s the problem, one man’s spam is another’s permission based email. For instance I tried to send out a message today that contained the phrase HARDCORE in reference to a copy writing technique. Well, the mail was flagged in a spam filter test because the word hardcore is used by pornography spammers. This is an instance of a false positive where a spam filter blocks a piece of permission based mail in error. ISPs are aware of this reality and so, their relationships with spam filters are one of love and hate. If the filters are set as too restrictive, you have false positives, too lax, and spam will get through.

That’s just the beginning when it comes to problems with spam filters. Here are a few more examples.

Spammers can trick content based filters by using uncommon words (find women tonight- indubitably) and spam word variations (F*R*E*E*). Recently, spammers have switched to image-based HTML to hide spam words altogether. Filters have modified for each of the new techniques but the are stuck in a constant cat and mouse game where each new attempt to

In addition, spammers and phishers can send messages with a reply-to email address purporting to be anyone from bill@microsoft.com to george@whitehouse.com(commonly known as address spoofing). Unsuspecting recipients may surrender personal information after opening an email they believe is from their bank or their boss only to find our that later their bank accounts have been drained of funds.

Address spoofing also negatively affects the spoofed address in addition to the recipient. If a spammer sends malicious and derogatory content purporting to be from bob@legitimatebusinessowner.com. At best, Bob will have to waste time processing email bounces. In the worst scenario, Bob will receive angry emails that can damage his the reputation of his business (This is commonly known as backscatter).

So, how do we combat the unfortunate situations lister above? By implementing a system of sender reputation based in part on email authentication. In the last few years, the efforts to fight spam have focused on a newer element that is far riskier and difficult to trick: the sending IP.

Our next installment will talk about SPF records as a means of combating the situation described above. Sit tight and enjoy the ride :)

2 Comments »

  1. Comment by Kaitabasura — March 12, 2009 @ 6:50 am

    Don’t you hate spam to?

  2. Comment by Bruce — September 12, 2009 @ 4:22 pm

    Thanks. very helpful article ! Great story !

RSS feed for comments on this post. TrackBack URI

Leave a comment