Sender ID, DomainKeys Are Hammering Spam

Two authentication technologies are making it easier to separate genuine e-mails from spam.
When an 800-pound gorilla says, "You must prove to me that your e-mail isn't spam, or else," it's amazing how fast a lot of other big apes will comply.

I reported last week that 75 percent of Fortune 100 companies are now using Sender ID to positively identify their marketing e-mail messages. Even better, 45 percent are taking the next step and digitally signing their messages using DomainKeys.

These two e-mail authentication standards were at each other's throats and were barely used by large companies when I last wrote on this subject on Sept. 28, 2004. Now, the two technologies are seen as complementary. In fact, it's now clear that all serious sources of e-mail soon will have to adopt both techniques. As promised, the new methods are making it easier to separate genuine e-mails from spam, and the flows to some ISPs are actually declining as better filtering renders spam uneconomical.

These two e-mail authentication methods are experiencing remarkable growth, considering that they haven't been mandated yet by Internet standards bodies. The geometric adoption rates for Sender ID and DomainKeys demonstrates what can happen when the two kings of the e-mail jungle, Microsoft and Yahoo, start howling and beating their chests.

Prove Your E-Mail is Legitimate

In interviews with executives of Microsoft and Yahoo, I've found convincing evidence that shows why e-mail authentication is skyrocketing. It's because Microsoft's MSN/Hotmail,'s Yahoo Mail, and other large service providers are making senders' messages look very bad if they don't comply.

Hotmail for months has been displaying a scary, yellow banner warning consumers that certain messages "could not be verified by Sender ID." (See sample image in Figure 1 at the bottom of this article.)

Yahoo takes a different approach, prefixing a reassuring note to certain messages: "DomainKeys has confirmed that this message was sent by" Messages that don't bear this assurance, of course, can look mighty suspicious. (See Figure 2, below.)

Other e-mail services are overwhelmingly moving toward full adoption of one or both methods of authenticating the source of inbound mail. All 18 of the largest ISPs are marking their outbound mail with one method or the other, according to a statement by an industry coalition. And several of them, in addition to Hotmail and Yahoo Mail, already are using a message's lack of authentication as a count against it when filtering out possible spam.

Consumers may not fully grasp the different standards. But there are signs that e-mail verification is making a difference. In an unpublished study that will be posted later this month by e-mail service Epsilon Interactive, 19 percent of Yahoo Mail users and 43 percent of MSN/Hotmail users say they've already noticed the two providers' authentication banners on messages they've received.

No major ISP is flatly rejecting messages that aren't authenticated. But that day clearly is coming. For those of us who hate the way spam and phishing messages have made e-mail dangerous and unreliable, mandating that all e-mail must confirm whom it's really from can't come too soon.

When a Phenomenal Growth Rate is Good

In an e-mail interview, Microsoft officials stated that it isn't just Fortune 100 companies that have adopted e-mail authentication; smaller companies are, too.

"There has been a threefold increase in Sender ID adoption among Fortune 500 companies, increasing from 7 percent in July 2005 to 21 percent in March 2006," said a spokesperson, who asked not to be identified in accordance with company policy.

"In the past year, the number of dot-com and dot-net domains publishing their SPF records [a subset of Sender ID] jumped by more than 125 percent, increasing from 750,000 domains in March 2005 to 2.16 million domains in March 2006," the spokesperson said.

As more corporations identify which IP addresses are legitimate sources of their e-mail, spammers and phishers who target those companies are getting squeezed out. "Thirty-two percent of inbound legitimate mail received in MSN Hotmail is now Sender ID compliant, up from 20 percent in January 2006," the spokesperson said. There's no benefit to spammers in adopting either Sender ID or DomainKeys, since verification of the sender's true identity is the last thing spammers want.

Getting Your Mail Through to Yahoo

A somewhat smaller number of companies are digitally signing messages using the technique called for by DomainKeys. The slower adoption rate is partly because of concerns that digital signing might slow down a corporation's heavily used outbound mail servers.

Those concerns have now proven false, says Miles Libbey, the antispam product manager for Yahoo Mail, which signs all outgoing mail. "Yahoo is the largest e-mail provider for consumers in the world, and we have yet to add a single piece of hardware because of DomainKeys," he asserts.

That view is confirmed by Jordan Cohen, director of ISP and government relations for Epsilon Interactive. Epsilon sends permission-based e-mail newsletters and notifications at the rate of 20 billion per year for its more than 500 corporate clients.

His service added DomainKeys signing to all outbound messages, Cohen says, and "fully implemented, we've seen a minimal hit. It's really negligible." Without providing specific figures, Cohen suggested that DomainKeys signing reduced a mail server's outbound capacity by nothing more than a rounding error. That easily could be made up by the improved deliverability that DomainKeys messages enjoy.

"Since DomainKeys proves that a message is not forged," says Yahoo's Libbey, "we skip all the filters that test whether the message is forged. So there's a higher delivery rate."

It's not just Yahoo that's checking e-mails for DomainKeys signing. Some of the other ISPs that already use DomainKeys to rate incoming mail are Earthlink, SBCGlobal, and British Telecom's BTInternet. AOL is widely reported to be implementing checks for both Sender ID and DomainKeys by the end of 2006.

"Now there's high penetration for [Sender ID's] SPF," says Epsilon's Cohen. "By this time next year, we'll see that same high penetration for DomainKeys."

Are You an Adopter or a Chicken?

DomainKeys provides a much greater level of assurance for e-mail than does Sender ID. Publishing an SPF record says that only certain IP addresses are authorized to send legitimate messages originating from a company. DomainKeys confirms not only that a message came from an recognized server but that it was authorized by someone in the company and was not altered in transit.

The rapid adoption of Sender ID and Domain Keys, though impressive, is marred by the fact that companies haven't yet declared, "Messages that are proved invalid should be bounced without exception." In part, this is due to hesitation over whether the two standards work reliably. But it's also true that many companies are simply afraid to take such a bold step.

In this space next week, I'll examine what it really takes for a business to become fully Sender ID and DomainKeys compliant -- and what's keeping so many companies from declaring that they're 100 percent on board.

Hotmail's SenderID warning message
Figure 1: Hotmail shows the above warning when senders haven't created a Sender ID record.

Yahoo's DomainKeys verification message
Figure 2: Yahoo shows the above confirmation for messages signed with DomainKeys.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.