Email Authentication: Actions you need to take today
By Leslie Price, Director of Deliverability Services
Executive Summary:
Since our initial whitepaper provided in September 2004, ISPs have continued to
collaborate to identify and implement authentication methods. For an introduction
to authentication methods, refer to our whitepaper dated September 9, 2004 that can
be found at www.returnpath.biz. This updated brief provides brief descriptors of the
systems in use, and action steps that every email sender should be taking.
����������
Email Authentication: Actions you need to take today
Authentication Defined:
Authentication is a way for the receiver
of an email (and the ISP) to authenticate
the identity of the sender. If the identity
of the sender can not be authenticated,
then ISPs may reject the messages, or put
the message through additional filters to
determine if it should be delivered to the
recipient. Without authentication, your
chances of being filtered or blocked by
ISPs that are authenticating senders are
increased. ISPs are pursuing two primary
methods of authentication: cryptographic
based and IP based.
Crypto Based Authentication Methods
Update:
Cryptographic methods use public key encryption
techniques to “sign” each message in a way that is
impossible to spoof and proves that the message came
from the purported sending domain. Yahoo!’s Domain
Keys is the method with the most traction. Currently:
• Yahoo! is signing and checking Yahoo! mail.
• Yahoo!, Earthlink, Gmail, and BT Internet are the
largest ISPs that are in the process of implementing a
cryptographic solution.
• While your email will not be rejected if it is not
encrypted, you can get strong anti-spoofing benefits
at the ISPs that are checking for domain keys. The
benefits of protecting your reputation are further
increased if your domain is widely spoofed.
• MTA vendors are incorporating domain keys signing
and checking into their products.
• Senders interested in domain keys should talk to the