It’s been a busy year in email
Last night I sat on a panel at the INBOX Email Conference about Email Sender Authentication Deployment, “What to do now”. The deck was a little stacked with my CEO moderating the discussion and the other participants from Microsoft and the SPF community all being on the same page as us, but I took a moment to reflect on exactly how far we’d come in the past year as an industry.
At the end of 2003 people were still sorting out a myriad of different anti-spam content approaches, email was still mostly reliable, but we all knew that we were going to have to evolve the infrastructure in order to continue to provide service for the billion or so users that have come to rely on electronic messaging. There was limited cooperation between groups, mostly in the form of a gorilla gang of huge ISPs that formed the Anti-Spam Technology Alliance (ASTA). In January, a meeting was hosted in Boston (on the coldest day on record I might add, 40 below zero!) that brought together a large number of ISPs, legitimate volume senders, technology vendors, and various luminaries in the email space to lay out a plan for what needed to be the next steps for email. It had been clear for a while before this time that we at least needed a way to provide accountability in the email stream so that we would at least know with reliability where a message was coming from, but there was still a lot of uncertainty about what to do with that information.
At the Boston meeting we started to compare and contrast a wide variety of proposals for email authentication: SPF, Microsoft’s Caller-ID, Yahoo’s DomainKeys. More importantly, the key players forged relationships that have allowed us to work productively (for the most part)) over the past year. Now everyone understands that authentication itself won’t make much money (in fact, it has to be nearly free in order to become ubiquitous), and they’re willing to work towards the common good as we understand it will enable an entirely new approach to email management that will be enabled by identity, accreditation, and reputation.
As a core part of the email infrastructure, Sendmail has taken a central role over the past year to help refine, test, and deploy these different authentication solutions (because we feel that it is not only likely, but necessary to have multiple complimentary standards). We have been actively engaged with the major proposal authors, written and released several open source (ie, free) plug-ins for people to use, and spent quite a bit of time evangelizing the concept in the media, at various conferences, and on our own site.
Back in January there was an insignificant number of domains that were authenticating their email (a notable exception being AOL…kudos to their gung-ho attitude). We set a goal for ourselves that we’d like to try to get 10% of legitimate email authenticated by the end of the year (knowing that a large portion of spammers would authenticate their mail as well, which is a good thing). Recent figures from various ISPs that have started checking for authentication information on inbound mail shows that already 30-40% of mail (by volume) has authentication information available. This is a tremendous gain, and I think its safe to say that by the end of 2004, nearly half of all legitimate email will be able to prove that it really came from where it says it came from. Even more encouraging, there has been an equally quick ramp-up (although slightly delayed) of cryptographic authentication proposals (an approach that we feel will provide better protection for more messages in the long run). Yahoo and Gmail are already signing 100% of their outbound email, AOL and Earthlink will start soon, and many financial and e-commerce sites with content to protect are making plans to begin signing during the first half of next year.
This means that we’ve reached the first tipping point in market adoption, after less than twelve months. So many sites are authenticating their outbound mail that there is now real value for receivers to start checking and using this information on the mail that they accept. Already a number of receivers are using authentication status as a factor in their decisions about whether or not to accept a message, and in just the past few weeks we’ve seen the first indications that they are starting to consider requiring authentication on inbound email at some point in the future. In short, even though there were a number of bumps along the way, I think we’ve more than achieved our goals for this year. Even though we set what we thought were fairly optimistic targets, those expectations have been blown away.
So what’s next? 2005 is going to see a huge amount of innovation as people start to implement new ways of processing their email. Spammers and phishers will still be out there, but they are going to have to radically change the way they do business, so we’ll be watching for shifts and countering at every move. Most importantly, receivers are going to re-gain control of what gets in to their inbox. Email will become reliable again, and can continue on pace as the most cost-effective and wide-reaching communications medium we have.
What should you be doing? If you’re an email administrator or domain owner, take a look at the information we’ve published on sendmail.net about all of this new technology. In particular I recommend that you read our white papers that present an overview of the whole topic, as well as our current recommendations. If you are an end-user, you should encourage your administrators or ISPs to begin adopting these practices, because you will want to be sure that your email provider is doing everything they can to protect both your identity on outbound messages as well as the integrity of email they delivery to you.
As for me, I expect to spend much of next year back out there with the random cast of characters who have been flogging this topic for quite some time. At this point we’ve come to think of ourselves as a group somewhat similar to either a world cup ski team (although the destinations or activities are no-where near as glamorous) or a traveling circus (even though our activities are nowhere near as organized).
And yes, I need to get authentication working on my home domains for real now, I just need to get back to real connectivity first!
