293 viewsMost email is handled by the Simple Mail Transfer Protocol (SMTP). Unfortunately, SMTP was designed in an era when nobody recognized a need for significant security measures. Today, spam and phishing has exposed the underlying security weaknesses of SMTP. As a result, various efforts are underway to add the necessary security to prevent future spam, phishing and other unsavory uses of email. The two primary methods being pursued are identity verification and reputation management. Above and beyond the technical issues, reputation management schemes have political and cost considerations and thus little real progress has been made in these efforts. In contrast, identity verification can be accomplished via technical solutions and so more work has been done with it. The three primary identity verification schemes in development/use currently are described briefly below.
Sender Policy Framework (SPF)
SPF is an emerging mail server standard that aims to prevent forged e-mail addresses. For SPF to work, two parties must participate. First, webmasters/administrators for domains that wish to send email need to publish DNS SPF records. These records indicate the server(s) from which a domain sends mail. Any mail coming from a different server is to be considered forged. Second, e-mail administrators (typically for a web hosting firm or large email provider like Google, Yahoo! or an ISP) need to install SPF-enabled message transfer agents (MTAs[1]) to read SPF records. For reference, the primary resource for all things SPF related is the openspf.org site.
SenderID
The Sender ID Framework (SIDF) is an e-mail authentication solution that helps identify and block forged and deceptive e-mail. The standard is spearheaded by Microsoft in collaboration with other industry leaders, Internet service providers (ISPs), and organizations worldwide. SIDF combines the Sender Policy Framework (SPF) and Microsoft Caller ID for E-Mail in an integrated, no-cost authentication solution that does not require any third party software licenses. So, basically, SenderID is like SPF with a few additions.
DKIM (DomainKeys Identified Mail)
DKIM (DomainKeys Identified Mail) is an open-standard, signature-based email authentication system spearheaded by Yahoo! in collaboration with AOL, Microsoft, IBM, Verisign, Sendmail and other leading companies. DomainKeys essentially gives email providers a mechanism for verifying both the domain of each email sender and the integrity of the messages sent (i.e., that they were not altered during transit). Under this system, the domain owner generates a public/private key pair to use for digitally "signing" all outgoing messages. The public key is published in your DNS record, and the private key is made available to your DomainKey-enabled outbound email servers. When an email is sent, these keys generate a digital signature that is appended to the email header. On the receiving end, all information is verified to authenticate the email. DKIM does not eliminate or compete with other email authentication technologies such as SPF or Sender ID Framework; it is a sophisticated secondary level of defense. This site will tell you how to start the process of getting your DKIM keys. Read more at the Yahoo! Anti-Spam Resource Center.
Miscellaneous Thoughts
Clearly something needs to be done about spam and phishing. Just how useful the methods described above are is debatable, but one thing that must be pointed out is that identity verification cannot actually eliminate spam or phishing problems. That is because a spammer can adhere to any of the identity verification schemes. Likewise, spam that is generated by worms or bot networks will be indistinguishable from legitimate email if the infected source has adopted an identity verification scheme. For more criticisms of the SPF scheme, an interesting, if a bit technical, article is SPF is harmful. Adopt it.
[1] An MTA is the program responsible for receiving incoming e-mails and delivering the messages to individual users. The MTA is commonly referred to as the mail server program. UNIX sendmail and Microsoft Exchange Sever are two examples of MTAs.
Click to Add the First »