Message Systems eNewsletter Issue 2 2007 - Best Practices in Authentication and Reputation Management

Proud Sponsors of

Join us at the
Authentication and Online Trust Summit 2007 (AOTA 07)

April 18-19, Boston Sheraton
Message Systems is proud to be an Industry Underwriter for this intensive two-day program focused on online authentication, identity and reputation sponsored by the Authentication and Online Trust Alliance.

Best Practices in Authentication and Reputation Management

by Barry Abel, Vice President of Field Operations, Message Systems

In an effort to shield their customers from spam, phishing and spoofing, ISPs are implementing aggressive countermeasures, including domain authentication, throttling, blacklisting, tar-pitting, spam filtering and reputation assessment. While effective, these prevention tactics can unintentionally block legitimate messages. This rapidly evolving environment makes it increasingly expensive and difficult for reputable senders to get their email into their prospects’ and customers’ inboxes.

To ensure that their legitimate mail gets delivered, senders must develop sound strategies to keep pace with the ISPs’ changing requirements on how they want to receive mail.

Authentication

One way to eliminate phishing attacks and spoofing is through the use of authentication technology, which filters out mail from senders who are pretending to be someone they aren’t.

Because ISPs are aggressively adopting authentication technology, a failed authentication check could be the impetus for of many reactions from the ISPs. These actions can range from throttling to marking mail with a cautionary message to a flat-out block. In recent months, Yahoo, Gmail and Earthlink have adopted DKIM (DomainKeys Identified Mail). Hotmail uses Sender ID. AOL is expected to implement a strategy this year and others are sure to follow.

DomainKeys Identified Mail (DKIM) provides a method for validating an identity that is associated with a message, during the time it is transferred over the Internet. This is done by signing each message using the DKIM technology (a DKIM token) to validate the identity of the sending domain.

The Sender ID Framework is Microsoft’s e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of the sender against the purported owner of the sending domain.

Best Practices:
If your company sends its own mail, make sure that each mail message is signed with both DKIM and Sender ID tokens. This will ensure that your mail is authenticated no matter which ISP receives it, since each ISP has its own standards for authentication checks. If your company uses an ESP, choose one that stays current with authentication standards.

Reputation Management

Most ISPs have systems in place to individually scan incoming messages for viruses and spam, check them against blacklists, and evaluate them with any number of other attributes. Reputation is one of the newest criterion ISPs are using to evaluate mail. ISPs do this by requesting the sender’s reputation score from a central third-party reputation database.

While reputation management promises to significantly decrease the amount of spam received by ISPs, it also means that senders must have the capability to implement a variety of specific sending rules to comply with each ISP’s requirements, and also be able to facilitate header markups to incorporate third-party accreditation solutions. Senders who already have an email solution that can readily accept new standards will be able to easily adapt to the changing sending environment to build and maintain a positive reputation with ISPs. Those with less flexible solutions could unknowingly find themselves at risk, which can result in inadvertently damaging their reputation by using poor or unchecked sending practices.

One way for a sender to maintain its good reputation is to comply with individual ISP throttling requirements. Choosing an email solution that provides control over settings such as total outbound connections, total message volume and volume ramping, gives senders a way to match their sending practices to each ISP’s requirements.

As we reported in our last newsletter, a vast database of reputation data based on the sending practices of thousands of companies has been collected globally by anti-spam and accreditation vendors. This information was recently published to provide ISPs with another way to filter email and giving rise to a “gray list” of senders. ISPs will make judgment calls on gray listed senders based on the sending history published on this report. This reputation assessment will go into the ISP’s policy matrix to determine whether to send or block email from unknown gray listed senders. It will be another scoring criterion that will either increase or decrease a sender’s mail from going through.

Best Practices:
To maintain a good reputation with ISPs to ensure deliverability of your mail:

Review the configuration of your message system to insure that you are not over burdening the ISPs. If you use an ESP, make sure they provide you with the analytics to understand exactly how the ISPs treat your mail (i.e. acceptance/rejection, how many connections they are making to each ISP and throughput for each), and
Contract with a third-party accreditation service that certifies sender policies and practices and makes those certified lists available to the ISPs. Depending on the type or volume of mail being sent, it may be worthwhile to establish an in-house ISP relations team. Either method will ensure that your mailing practices and reporting are set up to maintain a good reputation and relationship with each ISP.

Barry Abel, Vice President of Field Operations

Barry Abel Barry brings 18 years of enterprise software sales, product management and marketing experience to Message Systems. Previously, he was director of sales at Mindfabric, Inc., a supplier of enterprise-class natural language processing, knowledge management and business rule processing solutions. In this role, he was responsible for recruiting the company's first key reference customers, partnerships and venture capital initiatives. Prior to Mindfabric, Barry held executive sales, marketing and business development positions at high-tech companies including Critical Path, PeerLogic, International Computers Limited (ICL) and Cap Gemini America. He holds a B.S. degree in business management from the University of Maryland.