E-mail authentication: Cost, standards remain problems

WASHINGTON - E-mail authentication can help fight the growing spam e-mail problem, but vendors need to come up with a single, open standard to avoid confusion and crippling costs for small ISPs (Internet service providers), participants in a U.S. government summit said Wednesday.

The security of the DNS (the Internet's Domain Name System), on which some leading e-mail authentication proposals are built, was also called into question at the conference, hosted by the U.S. Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST). Holes in the DNS, which translates numeric addresses into readable Internet domain names, could allow spammers to enter false authentication information, said Scott Chasin, chief technology officer of MX Logic Inc., an e-mail filtering company.

"I believe the fragile nature of DNS will affect those trying to thwart e-mail authentication schemes," Chasin said.

MX Logic supports efforts to create e-mail authentication, but Chasin also called for the widespread adoption of DNS Security Extensions (DNSSEC), a security project that's been in the works for a decade, and is now being approved by the Internet Engineering Task Force (IETF). "(Authentication) is not a cure-all for spam," he added in an interview. "It is not a cure-all for phishing."

Participants in the summit seemed divided about the potential of e-mail authentication that would establish DNS rules to allow e-mail recipients to receive e-mail only from trusted senders. Such authentication schemes would be based on a reputation system, similar to so-called white lists, in which e-mail from certain domains, such as Yahoo.com or IBM.com, would be cleared as legitimate e-mail. There could be multiple reputation systems run by multiple companies or organizations.

Elizabeth Bowles, president of the 40,000-subscriber ISP Aristotle.Net Inc., raised concerns about at least six e-mail authentication proposals moving forward, including Sender ID, advanced by Microsoft Corp., and Sender Permitted From (SPF), being used by America Online Inc.

Small ISPs can't afford to configure their e-mail to comply with a variety of authentication standards, she said. Bowles and others who had concerns about e-mail authentication noted that various proposals require ISPs and Internet domain owners to publish different types of DNS records to comply with authentication standards.

"We can't have AOL implementing one system, and Microsoft implementing another, and everyone having to comply with a bunch of different standards," said Bowles, whose company is based in Little Rock, Arkansas. "It has to be unified."

E-mail authentication standards should be easy to implement and the solutions should be easy to tailor to an ISP's needs, she added. "I don't think it can have a part of it that's proprietary, that would require us to basically get a license for a piece of software that we couldn't subsequently modify or improve," she said. "If it is proprietary, at least it needs to be open, and it needs to be a flexible system."

Despite these concerns, others at the summit said e-mail authentication represents the best hope for senders who want to distinguish their e-mail from spam.