I reported last week that large corporations have adopted new forms of "authenticated e-mail" at an astonishing rate. About 75 percent of Fortune 100 companies are now publishing Sender ID records. These text records list all IP addresses that are permitted to originate a company's legitimate e-mails. Meanwhile, 45 percent of the firms are using a stronger form of proof. They're digitally signing their e-mails using a technique called DomainKeys. The newer DomainKeys standard is expected by experts to achieve Sender ID's adoption rate within a year.
Smaller companies have lower rates of compliance than the Fortune 100, so far. But the benefits of authenticating outbound e-mails can be just as great for small firms as for large ones. Most Internet service providers are now evaluating incoming messages to see whether the sender bothered to establish a proven identity. If your company isn't doing so, your messages are already being treated as suspect by some ISPs.
Phishing and Identity Theft Make Proof Essential
The move toward authenticated e-mail is being hastened by large financial institutions. These companies are constant targets of fraudulent "phishing" e-mails that pose as legitimate customer-service messages. But it's not just banks that have a stake in the game. Companies with any e-commerce role, large or small, need the buying public to trust Web transactions.
14 percent of Americans have stopped using online banking or bill-payment services because of fraud concerns;
20 percent will no longer open any e-mails, legitimate or not, that claim to be from a financial institution they bank with;
26 percent won't use any online financial products, period.
Imagine that the above figures are growing. Then, fill in the words, "Won't buy my company's online products or services..." This should give you an idea of the tremendous investment your company has in fixing the problem of fraudulent e-mail.
Adding DomainKeys to Your Outbound Mail
DomainKeys provides stronger identification of e-mail messages than does Sender ID. That's because Sender ID merely specifies the IP addresses from which a company's legitimate e-mails may originate. DomainKeys, by contrast, involves digitally signing each message. The signature asserts that the sender was authorized to use the company's secret digital certificate. Signing a message also makes it impossible for anyone to alter the contents.
Adding DomainKeys signatures to every outbound message is a step that all companies will want to take as soon as possible. Doing this isn't a technical problem as much as it's a matter of preparing your company for the shift.
How One Company is Handling the Transition
In a telephone interview, Bank of America's Johnson explained how the firm's messages are gradually being converted to DomainKeys signing.
The first step for his company, or any company, Johnson says, is to make an inventory of the in-house staff and any outside vendors that send legitimate e-mails. "We have one domain that we use for some marketing purposes that we outsource," he explains. "We have DK and DKIM [DomainKeys Identified Mail, a later variant] set up on that server. That's sort of a pilot that we're watching."
Whether the bank's many other e-mail service providers will add DomainKeys signing is something that can affect the business relationship. "It would definitely factor in," Johnson says. "It's more important that we authenticate mail than that we use a particular vendor."
Both DomainKeys and Sender ID support a digital "flag" that tells ISPs, "You should now accept e-mails bearing our domain name only if they pass a DomainKeys or Sender ID test." Johnson says the Bank of America, like many businesses, is considering turning this flag on. But it can do so only when its upgrade process is complete.
"We want to do that," confirms Johnson, "but we want to make sure we're 100 percent ready before we flip that switch. It may be eight months before we even consider that."
The sooner that day comes for your business, the sooner your messages can get all the benefits ISPs are granting to authenticated mail. Yahoo Mail and MSN/Hotmail, two of the world's largest e-mail services, for months have been tagging incoming mails with labels that essentially say "this message is valid" and "this message is not valid." Other ISPs are rapidly adding similar alerts that will be just as visible to users.
The Mechanics of DomainKeys Signing
If your company uses one of many popular e-mail server programs, adding DomainKeys signing to your outbound mail may be as easy as installing an add-on program. Yahoo, one of the original backers of DomainKeys, maintains a list of plug-ins for Sendmail, Qmail, Postfix, and many other mail applications. For users of Microsoft's Exchange Server 2003, a C# .NET implementation developed by CERN is available.
The mere fact that a message is DomainKeys signed doesn't ensure it's legitimate. But ISPs can reliably tie DomainKeys signed messages to the domains they came from. These ISPs then accept or reject the messages based on how "spammy" that domain's mail has been in the past.
Messages that are not DomainKeys signed increasingly will be treated as "probable spam" by more and more ISPs. Now is the time to start adding DomainKeys to your mail server to avoid this penalty.