MESSAGING NEWSWIRE - Email Security - December 5, 2005




	Subscribe to this newsletter December 5, 2005 Feature Editorial Authentication Gaining Momentum Many believe that email authentication promises to help stem the tide of spam by separating legitimate email from unwanted or dangerous email. According to the Email Service Provider Coalition (ESPC) Executive Director, Trevor Hughes, authentication is a step toward accountability. "Authentication will help improve the email ecosystem by shining a light on email to confirm 'I am who I say I am' and as a result we can start to clean up email." The two approaches to email authentication that appear to be the most promising include Sender ID Framework (SIDF) and DomainKeys Identified Mail (DKIM). Sender ID Framework Sender ID Framework is an Internet Protocol-based solution that the Internet Engineering Task Force (IETF), Meng Weng Wong of PoBox, Craig Spiezle director, Microsoft Technology Care and Safety, along with others developed by combining two proposals: Sender Policy Framework (SPF) and the Microsoft Caller ID for E-mail. This approach is the one Microsoft advocates and is making some early adoption headway. Sender ID checks and validates the sending server's IP address(s) to verify the sending domain is authorized to send mail on its behalf. Early implementation benefits include improved spam detection, enhanced sender reputation scoring, and have provided a reduction in false-positive incidents among Sender ID-compliant mail senders. DomainKeys Identified Mail DKIM is a signature-based e-mail authentication proposal which is based on Yahoo!'s DomainKeys e-mail authentication technology and Cisco's Identified Internet Mail. DKIM was submitted earlier this year to the IETF for consideration as a new e-mail industry standard and to help enable industry-wide adoption of the technology. Many vendors such as IronPort Systems and SendMail already include the emerging authentication in their products. Not Mutually Exclusive Will we get to a point where we need to pick DKIM or Sender ID? No, says Spiezle. "We recognize that there are other complimentary approaches on the horizon, such as the promise of DKIM, while it has not gone into an IETC working group, it hopefully will progress down a path. But we cannot wait six months or a year, because the online threats continue to escalate and get more sophisticated. By implementing Sender ID Framework today, we really are building the infrastructure and learning for DKIM or others to follow." Joshua Baer, CEO of SKYLIST and co-chair of the Email Service Provider Coalition technology committee believes "Authentication is an industry-supported movement and while it is not a complete solution, it is the necessary first step toward creating a framework for combating spam and phishing." Microsoft, Yahoo!, America Online, the ESPC, the Direct Marketing Association, the Internet Advertising Bureau and the Federal Trade Commission have all urged the email marketing industry to adopt authentication standards. The ESPC and DMA actually require members to implement an authentication standard. Baer, who is also an email analyst for Ferris Research, estimates that, despite such measures, 50 percent of all online advertisers have not yet begun authenticating their outbound email, a statistic that he finds shocking. "Sending unauthenticated email messages will lead to a severe decrease in campaign performance and deliverability rates," he said. Baer and his company are urging email marketers to implement email authentication standards before the busy holiday season. To help all marketers jumpstart authentication efforts, SKYLIST unveiled in early November the SKYLIST Authentication Package, an industry-first program that offers a risk-free, start-to-finish process proven to quickly and dramatically demonstrate positive ROI. Their new Authentication Package showcases the ease-of-use of email authentication standards while justifying the investment in authentication of outbound email marketing campaigns. IN THE NEWS Secure Messaging Voltage Security, Inc., an enterprise privacy management company, announced last month their new innovations for removing complexity from encryption and secure messaging. The product provides fully enterprise-customizable secure messages that offer a rich, branded experience for end users. Unlike traditional technologies such as PKI (public key infrastructure), the new Voltage Zero Download Messenger provides a completely clientless experience with absolutely no requirement for downloads of any kind; no applets, clients, scripts or any other type of code are downloaded with the Voltage-delivered secure message. This enables banks, insurance companies, healthcare institutions, and customer service organizations to securely push information and foster two-way communication directly with their customers and business partners easily and without creating end-user complexity. In addition, the Voltage SecureMail solution has been enhanced to provide OpenPGP and S/MIME interoperability, enabling secure messages to be sent and received using legacy cryptographic protocols. "Market growth for secure (encrypted) email beyond the enterprise boundary has been hindered by the difficulties of managing cryptographic keys," said Victor Wheatman, managing vice president and research area director, Gartner, Inc. "With improved manageability and ease-of-use, we expect to see continuing adoption of encrypted email by financial institutions, healthcare providers and others to protect personally identifiable information and corporate privacy." We welcome your ideas and your news for Messaging Newswire's News & Trends in Email Security. Let us know what you think by sending your comments to editorial@messagingnews.com. Written or compiled by Stephanie Jordan For more marketing information on this newsletter or other Messaging News newsletter products contact jvictor@messagingnews.com