The Email Authentication Top 10

If you’re in the financial services industry, you’ve no doubt heard of email authentication. Depending on who you’ve talked to and how much you’ve looked into it, you may think it’s the panacea for phishing, doesn’t really matter, or most likely something in between. Many misconceptions surround the topic, so this guide is meant to provide ten practical steps to understand:

• What it is
• Why it’s important
• How to implement it
• When to make the move
• Where to go for more information

What?

#1. What it isn’t

Authenticating my email will solve my problems, right? Unfortunately not. The top three myths associated with email authentication are:

• My messages will automatically get through
• Phishing and spam will go away
• I have to encrypt all my email

The reality is that there’s an element of truth in each of these statements, and authenticating email does help, but it’s not the cure to all your email ills.

#2. What it is

In basic terms, authenticating your email simply allows recipients of your messages to verify you as the actual sender. By doing so, recipients can be confident that authenticated messages are not spoofs, and as more legitimate senders authenticate, they can be more readily distinguished from spammers.
There are two industry standard methods of authenticating email today – SPF/SenderID, and DomainKeys (which is moving to DomainKeys Identified Mail, or DKIM). A brief description of each is provided below:

• SPF/SenderID – In this method, senders place a record in their Domain Name Server (DNS) to indicate which IP addresses/hosts they send email from. Recipients of the email check the received message against the list of "authorized" sending addresses to validate the sender. Since this method is straightforward to implement, it has been widely adopted (an estimated 7 million domains as of February, 2007 according to Microsoft). Key email services checking for SPF/SenderID on incoming messages are MSN Hotmail/Windows Live Mail, Gmail, and Microsoft Exchange.
• DomainKeys/DKIM – This method uses cryptographic signing of messages (i.e., encryption) to validate the sender of the message and verify that the message has not been altered in transit. Implementing DomainKeys requires software (or an appliance) at the sending end, and comparable capability at the receiving end to verify the signed message. Many vendors are now moving from DomainKeys to DKIM, which has just been ratified by the IETF. Many email server software vendors now support DK/DKIM, and interoperable software/appliances are available. Check with your email vendor for the latest update on their support for DK/DKIM. Key email services checking for DomainKeys on incoming messages are Yahoo! Mail and Gmail.

Why?

#3. Get out of the pack

Getting unwanted messages? For most of us, the answer is a resounding “yes!” since according to several email providers, roughly 80% of email sent today is spam.

Getting fake messages? If you’re associated with a financial institution, you no doubt are familiar with the problem, since according to the latest Anti-Phishing Working Group report, nearly 90% of phishing messages purport to be from financial institutions.

Email authentication helps separate the wheat from the chaff by the simple fact that senders who authenticate their messages are willing to operate “in the light”, identifying their authorized domains and IP addresses for the world to see. Spammers and crooks can do this, too, but only in brief bursts since they have to constantly be on the move away from the authentication spotlight. Authenticating your email helps the world see you as a legitimate sender.

#4. Get through

Want your email to make it to the inbox? An increasing number of email services (e.g., Gmail, Hotmail/Windows Live Mail, Yahoo! Mail) and companies are using authentication as a key factor to determine whether to deliver messages. Though none have yet taken the step to reject unauthenticated messages, many whitelists and safelists in the industry have authentication as a prerequisite.

And the bar is rising even for non-whitelisted messages. In the last year, nearly all email services have shifted their delivery criteria weighting toward “reputation” and away from content. It’s probably no surprise that authenticated email drives a much better reputation score, since if you’re willing to identify yourself, you’re more likely to be a reputable sender.

It won’t be long before one or more email services draw a hard line on authentication as a prerequisite for delivery. Many companies who are major targets of phishers are now pushing for just such a policy (i.e., “if the message isn’t authenticated, don’t deliver it”), at least for their own messages. As the industry moves further in this direction, authentication will become a requirement rather than an option.

#5. Get noticed

Does my customer know (or care) if I authenticate my messages? Until recently, the answer was “no”. Although authentication has increasingly been used to determine delivery, the user has had no insight into the sender’s authentication practices (unless they like to read email headers… yeah, right).

This is changing, though with different philosophical approaches: Yahoo! Mail now gives an indication (with a subtle line of text and a small key icon) that messages have passed DomainKeys, while Windows Live Mail (Hotmail’s successor) gives a text indication if messages fail SenderID. This is a step in the right direction, since it provides insight for the user regarding the “trust-ability” of the message. Yet it lacks consistency across the industry, and doesn’t address standalone clients such as Outlook Express and Outlook, which provide no indication.

The Iconix® Truemark® service takes getting noticed to the next level, since it places an icon in the “from” column of the user’s inbox to indicate whether a message is authentic. This icon is a simple “check-lock” indicating trust and can also include the sending company’s logo (see screen shot example below). If the user hovers over the icon, an email authentication certificate is shown (analogous to a web site security certificate), giving more information about the sender.

Does it make a difference? In a recent study of users of the Iconix Truemark service, they opened messages more than twice as often when they were marked with an icon. For more information, including how the Truemark service fills authentication gaps and the reasons that authentication alone is not the answer, see “Making Email Effective Again” from the last issue of FST Online, http://www.usfst.com/pastissue/article.asp?art=268950&issue=183

How?

#6. Rally the team

Who needs to be involved? Depending on the size of the organization, there are usually several functional groups involved in planning and implementing email authentication, and it may not be obvious to some of them why authentication is important.
Therefore, it is a good idea to have a central owner for this initiative, inform all "stakeholders" up front, and get management buy-in to proactively clear potential hurdles. Groups who usually need to be involved or informed are: IT/operations, security, marketing, sales, and third parties involved with sending email.

#7. Round ‘em up

What information do I need in order to authenticate? The biggest challenge for many organizations is creating a complete list of all their domains that send email. And you need to be disciplined about it, since as soon as you start authenticating some of your messages, receiving entities will start expecting it for all of them.
In practice, we see the following scenario far too often: authentication is done properly for the company’s outsourced email (no surprise, since email service providers tend to be on the leading edge of implementation), mixed authentication results for the company’s marketing messages (usually due to some “rogue” groups who didn’t get or chose to ignore the call to authenticate), and no authentication for the company’s transactional messages (ironic, considering these messages are the ones most likely to be spoofed).

Be sure to cover all functional areas (sales, support, marketing, finance/operations) and any third-parties that may be sending on behalf of the organization (whether semi-permanent or for a one-time campaign).

#8. Choose your weapon

Which authentication method should I use? This is a common question and the simple answer is "both". The rationale for this answer becomes apparent when considering which email services check incoming messages for which method, as shown in the list below:

• AOL – none
• Gmail – SPF, DomainKeys
• Hotmail, Windows Live Mail – SPF/SenderID
• Yahoo! Mail/beta (and derivatives – AT&T, etc.) – DomainKeys

At this time, neither method covers all major services. As described previously, authentication is becoming a critical factor in delivery decisions, and since most companies send email to users across several major email services, the best practice is to support both methods.

In practice, most senders are supporting only SPF/SenderID at this time since it is easier to implement. Still, it’s straightforward to work with vendors offering DomainKeys/DKIM, either in the form of MTA (mail server) software; appliances or software that can be added to existing systems; or outsourced email service providers that already provide the support.

#9. Be vigilant

Now what? Once the chosen method(s) of email authentication is implemented, test it with a small set of messages before going "live" with all email. This involves sending messages to various email services to make sure they are authenticated and delivered properly. If you’re using an outsourced service, they’ll likely have automated ways to perform these tests and report the results.
Am I done now? Unfortunately this is not a "set and forget" issue. We often see messages from companies that previously passed authentication start to fail, usually for one of two reasons – new domains or IP addresses aren’t properly listed in the SPF/SenderID records, or an authorized third-party starts sending on behalf of the company and doesn’t properly set up the records.

If all key stakeholders are aware of the importance of consistent email authentication, it should be straightforward to ensure that authentication becomes part of the standard implementation and testing checklist, even as changes are made to the email infrastructure.

When?

#10. Now is the time

Is there really any debate here? If authentication helps separate you from the bad guys and gets more of your messages delivered and noticed, it’s a no-brainer – do it now. After years of phishing attacks and education regarding ways to prevent them, it’s shocking to see how many financial institutions still don’t authenticate email.

If you’re concerned about cost or complexity, at least take a basic first step and implement SPF/SenderID for your main consumer-centric email domains. You can phase in the rest as you get more experience and buy-in throughout your company. This isn’t the ideal best practice scenario, but it’s better than nothing and gets you moving in the right direction.

Bottom line – you don’t want to be caught in the wrong camp as authentication becomes a requirement for delivery of messages and for notification to users regarding message trustworthiness.

Where?

#11. Help!

OK, we’re beyond the top 10, but you don’t want to miss this – think of it as a bonus. There are an abundance of resources available to assist you in authenticating email, many of which are listed below:

The Direct Marketing Association (DMA)
The following link details how to authenticate the email your company sends
http://www.the-dma.org/antispam/E-MailAuthenticationComplianceFINAL.pdf

ESPC – The Marketers’ Guide to Accreditation, Reputation and Authentication Resources
Gives a practical assessment of ISP practices and industry resources to maximize email delivery and impact
http://www.espcoalition.org/Auth_Rep_Accred_Guide_Final_Rev1.pdf

Return Path – Email Authentication: Actions you need to take today
This whitepaper details the differences between cryptographic and IP based authentication methods
http://www.returnpath.biz/pdf/actions.pdf

Learning Guide: Understanding Your Authentication Options
SearchSecurity.com offers this guide with tips, expert advice, featured articles, and other original materials that help you understand today’s authentication challenge
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1123443,00.html#id

DomainKeys: Proving and Protecting Email Sender Identity
Detailed information on how DomainKeys works, reference implementation, and FAQ’s
http://antispam.yahoo.com/domainkeys

DomainKeys Identified Mail (DKIM)
Detailed information on how DKIM works
http://www.dkim.org/

SPF: Sender Policy Framework
Detailed information on the SPF authentication method
http://www.openspf.org/

Sender ID Framework
Detailed information on the Sender ID Framework authentication method
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx