Can You Prove Your E-Mail Isn’t Spam?

There are some simple steps your company can take to demonstrate that the e-mails you’re sending aren’t spam. If you’re not taking them, many recipients are now ready and willing to filter your messages into the trash.

I reported last week that large corporations have adopted new forms of “authenticated e-mail” at an astonishing rate. About 75 percent of Fortune 100 companies are now publishing Sender ID records. These text records list all IP addresses that are permitted to originate a company’s legitimate e-mails. Meanwhile, 45 percent of the firms are using a stronger form of proof. They’re digitally signing their e-mails using a technique called DomainKeys. The newer DomainKeys standard is expected by experts to achieve Sender ID’s adoption rate within a year.

Smaller companies have lower rates of compliance than the Fortune 100, so far. But the benefits of authenticating outbound e-mails can be just as great for small firms as for large ones. Most Internet service providers are now evaluating incoming messages to see whether the sender bothered to establish a proven identity. If your company isn’t doing so, your messages are already being treated as suspect by some ISPs.

Phishing and Identity Theft Make Proof Essential

The move toward authenticated e-mail is being hastened by large financial institutions. These companies are constant targets of fraudulent “phishing” e-mails that pose as legitimate customer-service messages. But it’s not just banks that have a stake in the game. Companies with any e-commerce role, large or small, need the buying public to trust Web transactions.

Erik Johnson, a Bank of America vice president, reported a series of heart-stopping statistics in a PDF presentation at the E-Mail Authentication Summit, a conference held last month in Chicago:

• 14 percent of Americans have stopped using online banking or bill-payment services because of fraud concerns;

• 20 percent will no longer open any e-mails, legitimate or not, that claim to be from a financial institution they bank with;

• 26 percent won’t use any online financial products, period.

Imagine that the above figures are growing. Then, fill in the words, “Won’t buy my company’s online products or services…” This should give you an idea of the tremendous investment your company has in fixing the problem of fraudulent e-mail.

Adding DomainKeys to Your Outbound Mail

DomainKeys provides stronger identification of e-mail messages than does Sender ID. That’s because Sender ID merely specifies the IP addresses from which a company’s legitimate e-mails may originate. DomainKeys, by contrast, involves digitally signing each message. The signature asserts that the sender was authorized to use the company’s secret digital certificate. Signing a message also makes it impossible for anyone to alter the contents.

Adding DomainKeys signatures to every outbound message is a step that all companies will want to take as soon as possible. Doing this isn’t a technical problem as much as it’s a matter of preparing your company for the shift.

How One Company is Handling the Transition

In a telephone interview, Bank of America’s Johnson explained how the firm’s messages are gradually being converted to DomainKeys signing.

The first step for his company, or any company, Johnson says, is to make an inventory of the in-house staff and any outside vendors that send legitimate e-mails. “We have one domain that we use for some marketing purposes that we outsource,” he explains. “We have DK and DKIM [DomainKeys Identified Mail, a later variant] set up on that server. That’s sort of a pilot that we’re watching.”

Whether the bank’s many other e-mail service providers will add DomainKeys signing is something that can affect the business relationship. “It would definitely factor in,” Johnson says. “It’s more important that we authenticate mail than that we use a particular vendor.”

Both DomainKeys and Sender ID support a digital “flag” that tells ISPs, “You should now accept e-mails bearing our domain name only if they pass a DomainKeys or Sender ID test.” Johnson says the Bank of America, like many businesses, is considering turning this flag on. But it can do so only when its upgrade process is complete.

“We want to do that,” confirms Johnson, “but we want to make sure we’re 100 percent ready before we flip that switch. It may be eight months before we even consider that.”

The sooner that day comes for your business, the sooner your messages can get all the benefits ISPs are granting to authenticated mail. Yahoo Mail and MSN/Hotmail, two of the world’s largest e-mail services, for months have been tagging incoming mails with labels that essentially say “this message is valid” and “this message is not valid.” Other ISPs are rapidly adding similar alerts that will be just as visible to users.

The Mechanics of DomainKeys Signing

If your company uses one of many popular e-mail server programs, adding DomainKeys signing to your outbound mail may be as easy as installing an add-on program. Yahoo, one of the original backers of DomainKeys, maintains a list of plug-ins for Sendmail, Qmail, Postfix, and many other mail applications. For users of Microsoft’s Exchange Server 2003, a C# .NET implementation developed by CERN is available.

The mere fact that a message is DomainKeys signed doesn’t ensure it’s legitimate. But ISPs can reliably tie DomainKeys signed messages to the domains they came from. These ISPs then accept or reject the messages based on how “spammy” that domain’s mail has been in the past.

Messages that are not DomainKeys signed increasingly will be treated as “probable spam” by more and more ISPs. Now is the time to start adding DomainKeys to your mail server to avoid this penalty.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020