Status of Email Authentication2005-02-16 17:56:07
Seems like email authentication may be stalled because not enough ISPs are actually using it. They won't start using it until can help them filter incoming spam. That won't happen until a lot more other ISPs are using it, and there are some good domain-rating lists available. Vicious circle. Guess we'll have to wait for Microsoft to get the ball rolling.
I've done two things.1) Written an encyclopedia article to explain the basics of email authentication, independent of any particular method. 2) Offered to help my ISP set up a test platform, and see if authentication can help in filtering the incoming flood.
I would like to get comments on the article http://en.wikipedia.org/wiki/Email_Authentication I'm especially concerned about the section on email forwarders. I had to take a wild guess as to what an eventual standard header might look like. Does anyone know if there has been any progress on this? I saw a recent article in CircleID about IETF http://www.circleid.com/channel/index/C0_6_1/ . If anyone can get beyond the arguments over petty details, it will be IETF.
As for the test platform, I'm looking at using Sendmail. They seem to be the most aware of the huge potential payoff for authentication, and the various factors needed to get things started. They are supporting all three methods ( SPF, SenderID, and DomainKeys) http://www.sendmail.com/solutions/security/ although they state in their FAQ that a cryptographic method will be the best long-term solution. http://www.sendmail.com/solutions/senderauth/faq/#difference "Sendmail strongly believes that cryptographic approaches are the right long term solution as they avoid many of the infrastructure disruptions that IP auth would cause and they offer strong protection of the message contents themselves." I guess that means DomainKeys.
Are there any other MTA's besides Sendmail that I should look at for the tests? Does anyone have a suggestion for a domain-rating list? I see SpamCop.net has a nice blacklist, and SenderBase.org has good statistics on total mail volume. Seems like a good starting list could be generated using ratios of spam reports to total volume.