Email Sender and Provider Coalition UPS THE ANTE IN CALL FOR EMAIL AUTHENTICATION
Consumer confidence in email is in crisis.
Despite its widespread adoption and potential to revolutionize communication productivity and commerce, consumers are on the verge of losing confidence in email and conducting online business transactions. Overwhelmed by a flood of spam that, at best, is annoying, and in the worst case, is offensive or damaging, Pew Research recently reported that 53 percent of consumers trust email less, and 22 percent of consumers now use email less. While representing improvement over last year, these are nonetheless profoundly troubling statistics that are bound to worsen with the rising epidemic of phishing (identity theft) schemes.
Consumer confidence in email is under assault on two fronts:
- Trustworthiness. Can I trust the email received to be safe and from whom it says it is?
- Reliability. Can email be relied upon to deliver the communications I want, need and expect to receive?
For companies who are legitimate senders of email, the confidence issues are equally vexing. They need to be able to rely on the medium to deliver their business-critical communications and to do so without their brands being appropriated and degraded by others. Of course, companies have a vested interest in the restoration of consumer trust too. Without it, there's little assurance that email received will actually be read.
The stakes are enormous.
Email accountability represents our industry's best chance to restore confidence, and take the medium back from the spammers. The very viability of email as a vehicle for online commerce and communication is at stake, and the stakes are enormous. The Direct Marketing Association (DMA) estimates that "legitimate commercial e-mail resulted in approximately $39 billion in sales in 2004, including about $9 billion in small business sales." The DMA further suggests that "e-mail can deliver even more value for consumers and more dollars for the U.S. and global economies if scams proliferated through spam and phishing/spoofing can be reduced or eliminated."
For many companies, restoring confidence in email is not a choice. They're wholly dependent on online commerce or have optimized their operations around it and simply can't move back to the offline world. Email trustworthiness and reliability are now mandatory for such companies to grow and prosper.
Accountability is the answer; authentication is the first step.
Today's problem with email is all about the lack of accountability. It's entirely too easy for spammers and phishers to evade accountability for their fraudulent activity by disguising their identity or assuming the identity of a legitimate company. As early proponents of accountability in email, the Email Sender and Provider Coalition (ESPC) recognized that authentication was the critical first step and proposed Project Lumos ( http://www.espcoalition.org/project_lumos.php) as a foundation for an industry solution to the spam problem.
In 2004, two primary approaches emerged for determining the authenticity of email: IP-based and cryptographic or signing (DomainKeys and Internet Identified Mail are the more popular cryptographic solutions). Of the two, the IP based approach, now referred to as the Sender ID Framework, is relatively straightforward. It's available to senders and receivers royalty free, and can be rapidly deployed by ISPs and businesses alike allowing for implementation today.
With Sender ID, authentication is achieved by verifying that the server sending email for a specific domain is authorized to do so. The sender publishes an identity record, called Sender Policy Framework (SPF), listing the IP addresses of servers authorized to send email on behalf of its domain. Upon the receipt of email, the receiving domain checks the SPF record to be sure that the sending server (IP address) and domain name match.
With the authentication of senders, ISPs and other receivers can safeguard against spoofed email and non-existent domains, and begin to associate reputations with sender identity. While it's known that spammers were some of the first to publish SPF records, ISPs are now able to associate the spammer's practices with an identity to improve their anti-spam heuristics, while reducing false positives and improving the deliverability of legitimate email.
Adoption of authentication is mandatory.
Late last year, some of the leading ISPs started to check senders for authentication. However, in March 2005, Microsoft estimated that only about 20 percent of the mail received at its Hotmail domain included a SPF record.1 Some of the published SPF records were also found to be incorrect. This highlights the need for senders to test their records and to review them on an ongoing basis to ensure they stay accurate and up-to-date.
While adoption is on the rise by legitimate senders, it is still far short of what's required to restore confidence in the medium, and importantly, take the next step to more broadly associate sender identity with their practices (reputation) to achieve true accountability in email. Other industry groups have already called for adoption of email authentication. The ESPC believes that more proactive measures are now required.
Toward that end, the ESPC will now require all current and prospective members to evidence their support for email authentication by implementing at least one of the authentication protocols for their corporate email and the email they may send on behalf of others. (Based on a recent survey of its membership, the ESPC found that 97 percent were authenticating outbound client email; 73 percent were authenticating both client and corporate email.)
In addition, the ESPC calls on the providers of email accreditation and reputation services to make authentication a prerequisite for their solutions.
To further drive authentication, the ESPC calls on the major ISPs and others in receiver community to:
- Interrogate inbound email to determine the presence of a SPF record, and that the record has been correctly published.
- Publish adoption statistics on a routine basis so all parties can gauge the level of success achieved.
- Provide an overt notice to their members that the identity of an email sender cannot be authenticated, focusing first on non-compliance and then on incorrect compliance.
While advocating that receivers provide senders with notice on incorrectly authenticated mail or their intention to blacklist or bounce unauthenticated mail, the ESPC firmly believes that it's in our mutual best interests for receivers to start taking definitive action based on the results of their authentication tests. We need receivers to reject mail from the spammers and phishers who are degrading our brands and destroying our medium. As an industry of concerned senders and receivers, we need to collectively take the next step toward email accountability.
More Information on Email Authentication
As a co-sponsor, the ESPC encourages business leaders, IT professionals and e-commerce executives to attend the Email Authentication Implementation Summit 2005. Held at the Marriott Marquis in New York City on July 12, this unique summit will enable attendees to learn how e-mail authentication techniques, collaboratively developed and implemented by the online industry, are helping protect businesses and consumers from spam, phishing attacks and e-mail fraud.
For more information about email authentication or for a free test of your authentication set-up, please visit www.emailauthentication.org or www.espcoalition.org/senderid.
About the Email Sender and Provider Coalition
The Email Sender and Provider Coalition (ESPC) was formed in November 2002 to fight spam while protecting the delivery of legitimate email. The ESPC is composed of 62 members including CheetahMail, an Experian Company; Constant Contact; Digital Impact; DoubleClick; ProspectivDirect; Return Path Inc.; SKYLIST and StrongMail Systems, Inc. The ESPC is currently working on solutions to spam and deliverability concerns through a combination of legislative advocacy, technological development, and industry standards. Its flagship initiative, Project Lumos, is an industry-authored solution to the spam problem. For more information on ESPC, please visit www.espcoalition.org.
Prepared by: ESPC Receiver Relations Committee
Dave Lewis, Vice President/Marketing, StrongMail Systems, Inc.
Ben Isaacson, Privacy and Compliance Leader, CheetahMail, an Experian Company
1Actual adoption is estimated as high as 30-35%. The lower number received by Hotmail is the result of a considerable amounts of spam being blocked at the gateway based on known spammers' IP addresses.