Authentication technologies are a great way for businesses to protect their corporate domains against use in phishing and spoofing attacks, experts say.
Internet Service Providers (ISPs) and many businesses are ramping up use of technologies that white list domains associated with a specific sender.
Authenticating domains will be one more piece of the equation that formulates an e-mail’s score on the spam meter – the higher the score, the more likely it will by rejected by an ISP.
The weight given to authentication in that scoring formula should get heavier in the coming months.
“As more and more people authenticate their e-mails, it will allow ISPs to see if e-mails that seem to come from an organization are actually coming from the authenticated server,” says Chad White, director of retail insights at the E-mail Experience Council (EEC), the New York-based e-mail marketing arm of the direct marketing association.
“The hope is this will allow the ISPs to do a much better job of eliminating phishing and spoofing,” he says.
E-mail marketers who wanted to ensure receipt of their messages were early adopters of authentication technology.
But now companies are picking it up to guard against cyber-criminals, according to the Seattle, Wash.-based Authentication and Online Trust Alliance (AOTA).
A five-month study of more than 100 million e-mails from Fortune 500 brands show that over half of the legit e-mails sent worldwide on a daily basis are now authenticated in some way, AOTA announced Jan. 31.
That number continues to grow, says Craig Spiezle, chairman of AOTA.
Comprehensive data on the adoption will be released in June, at the company’s conference from their headquarters, he adds.
The association has called upon organizations to adopt authentication technologies.
“Our call to action was pretty strong, and not just from a traditional e-mail marketing perspective,” says Spiezle, who is also Microsoft’s director of Internet security and privacy. “Corporations need to be thinking about this at a corporate domain level.”
A number of service providers have also started using authentication to clear their outbound messages, and some have done so for their in-bound messages.
G-mail uses both DK and Sender ID, as does AOL. But Yahoo and Microsoft stick to their respective proprietary technologies, experts say.
“There is a large footprint on the receiving end for these messages,” says Matt Vernhout, director of delivery and ISP Relations at ThinData Inc, a Toronto-based e-mail marketing adviser.
Web browsers are also looking to authentication data to guard end users against phishing attacks, White says. Internet Explorer, for example, has a phishing detection tool turned on by default that alerts users about a site’s security level.
“It’s not just your e-mail domains that need to be authenticated,” he says. “It’s your corporate domains… you need to take care of both your e-mail and Web domains.
The IT department plays a key role in unrolling authentication for an enterprise, according to a ThinData white paper.
They should establish a unique IP address for each type of communication, ensure software is patched, and be responsible for the proper use of reverse Domain Name System (DNS) verification from ISPs.
Spiezle cited the example of Bell Canada Enterprises that recognized the importance of their ISPs getting e-mail services delivered and took action to put authentication to work.
In addition to putting vice-president-level employees on the project, they reached out to the industry partners for assistance.
“There’s no reason why anybody should not be authenticating,” White says. “It’s not expensive, it’s not overly complicated. You do it once and you’re set.”
While there are different camps on how to do authentication, White says businesses shouldn’t view it as a format war and wait around for a winner.
It might be a multiple-method system, the EEC director says.
“There’s nothing to stop you from using both technologies.”
Though Domain Keys requires more CPU usage because of its encryption technique and may require a hardware upgrade for businesses looking to protect against in-bound messages, ThinData’s Vernhout says.
“I would hope businesses would want to protect their employees from fraudulent sources as well,” he says.
But authentication techniques aren’t bulletproof.
Even spammers could sign up to have their servers authenticated – but then they’d lose the anonymity so important to their practice.
“Spammers can become authenticated,” White says, “but why would they do that?”