Monday, November 14, 2005

What You Need to Know About Authentication

by Michelle Keegan, Email Marketing Diva®,
Constant Contact® (Permission requested.)

Chances are, if you make a habit of reading about email marketing (I might assume you do since you’re reading Email Marketing Hints & Tips right now) you have tripped over the word “authentication” recently.

Email authentication is the latest in tactics that will be used by some ISPs and corporate domains to decrease spam (and spoofing and phishing too, for that matter) and to increase the number of permission-based emails that make it to the inbox.

Without email authentication, you may see a decrease in email deliverability to ISPs and corporate domains that use some form of authentication to help filter incoming email. But, if you are an authenticated sender, you should see enhanced email deliverability to those same ISPs and corporate domains. There are benefits for all of us as email recipients too.

Email authentication isn’t rocket science, but it’s not the easiest concept to grasp – or to explain. That’s why I decided to go straight to an expert on the subject, Constant Contact’s Director of ISP Relations, Tara Natanson, to get the real skinny on “authentication.” Today, I get to ask the questions while Tara takes the hot seat.

Michelle: "Tara, can you explain to us in plain English what email authentication is?"

Tara: "In a nutshell, email authentication is a way to verify that an email message actually came from where it says it’s from.” There are at least two emerging schemes at this time that are gaining in popularity. They differ in specifics but, in general, they require senders to make it clear which email servers they are sending from."

Michelle: "Why do we need email authentication? Why is it important?"

Tara: "We need it because literally billions of people depend upon email for communication, so it is essential that email is viable and trusted. In fact, email volume in the United States alone is expected to reach more than 2.6 trillion messages in 2007. We need authentication to bring trust back to email by laying a framework for legitimate email senders to be identified. Email authentication is the first big step to preserving email as we know it today – an important communication tool."

Michelle: "That makes a lot of sense. Now in order to understand how authentication will bring trust back to email, maybe we should start with the benefits. First, what are the benefits email authentication offers to ISPs and corporate domains?"

Tara: "Email authentication will help ISPs and corporate domains determine - with a greater level of confidence – whether an email is genuine or fraudulent and, in turn, whether they should deliver the mail to their customer’s inbox or not."

Michelle:
"What benefits can email marketers expect to receive?"

Tara: "As an email marketer, if you meet authentication requirements, your emails will be recognized as legitimate by receiving ISPs and corporate domains that are using authentication as a part of their email filters. Once you are verified as an authenticated sender, your email can be delivered to the recipient. The authentication process is designed to increase email deliverability, reliability as well as reduce false positives for email marketers. In turn I am hoping it will also increase open rates, as users begin to trust their email again. As a bonus, it can help preserve the reputation of companies who utilize email as a communications tool."

Michelle: "And what do recipients or consumers get out of email authentication?"

Tara: "Authentication is a way for email recipients to have a greater level of confidence in their email inbox. If your ISP or corporate domain uses authentication as a filter, you will know that the emails that are authenticated have been properly screened. Recipients will also be better protected from various scams, including spoofing and phishing."

Michelle: "All this makes sense so far. Now for the big question: how does email authentication work?"

Tara: "There are currently multiple types of email authentication but they all are based on a similar principle. They look at the domain the email was sent from -- for example constantcontact.com -- and attempt to verify that it came from an IP/server that is authorized to send mail on behalf of that domain."

Michelle: "I’ve heard about two types of authentication - Sender ID and DomainKeys. What is Sender ID? And what is DomainKeys?"

Tara: "Sender ID is the email authentication tool backed by Microsoft, while DomainKeys is Yahoo!’s tool. They are very similar but Domain keys takes things to another level by adding a cryptographic signature to ensure higher security. No matter which one is being used they all address the basic issue of sender identity."

Michelle: "As an email sender, what do I do to get authenticated?"

Tara: "The technical details should be taken care of by your email service provider or IT department. If you do not have an IT department or are not already familiar with DNS records, IP addresses and mail server administration, you should 1) use an email service provider who can take care of this for you or 2) contact your domain/hosting company for more detailed information. You will need to know all IP addresses that send email for your domain."

Michelle: "This is the part that sounds complicated to me. I know that most of our subscribers do not have an IT department and I’m pretty sure they are not all that familiar with DNS records, IP addresses or server administration. So I’m betting most readers will indeed go the email service provider route and speak with their domain/hosting companies."

"When will authentication be adopted by ISPs and corporate domains?"

Tara: "Microsoft (www.MSN.com and www.hotmail.com) and Yahoo are expected to be the first to fully incorporate authentication as part of their formula for determining which emails are delivered to the inbox. The expectation is that the rest of the industry will follow suit and adopt either Sender ID or Domain Keys, or both."

Michelle: "That means that email senders and email service providers, like Constant Contact, need to be prepared to address both Sender ID and Domain Keys, right?"

Tara: "That’s right – to cover all the bases."

Michelle: "It should deter spammers if anonymity is replaced with identity. After all, most criminals aren’t afraid of doing something illegal, they’re only afraid of being caught. So can email authentication actually help us enforce Can Spam laws?"

Tara: "We hope so, yes. We always knew that the real solution to spam and other problems was a technological one. Industry experts have been very busy over the last few years collaborating to create a solution that would work for everyone; that would preserve email as a communications medium and restore consumers’ confidence. Email is one of the greatest inventions of the 21st century and it has changed the way that people communicate in their everyday lives. Email authentication is the first big step to preserving this important form of communication."

Michelle: "Thanks Tara, for explaining this significant advance in simple terms that we can all understand."

If you would like more information on email authentication, please visit the following websites:

*Note to Constant Contact users: Constant Contact’s Authentication will be available within the next two weeks. It supports both Sender ID and Domain Keys. You should expect an announcement from Constant Contact with additional information shortly.

Michelle Keegan is the Email Marketing Diva® for Constant Contact ®, the leading Do-It-Yourself Email Marketing provider for small and medium-sized businesses. Michelle has over 12 years of experience in sales and marketing and has spent the last 7 years focused on best practices in email marketing for small business.

Thanks, Michell Keegan and Tara Natanson for enlightening us!

Origins of the Word "Phishing"

Ever wonder where the words, “phishing”, “hacking”, and other forms of identity theft come from? Well, let’s look today at one – the word, “phishing”.

The word "phishing" comes from the analogy that Internet scammers are using email lures to "fish" for passwords and financial data from the sea of Internet users. The term was coined in the 1996 timeframe by hackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users. The first mention on the Internet of phishing is on the alt.2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the printed edition of the hacker newsletter "2600".

"Ph" is a common hacker replacement for "f", and is a nod to the original form of hacking, known as "phreaking". Phreaking was coined by the first hacker, John Draper (aka. "Captain Crunch"). John invented "hacking" by creating the infamous Blue Box, a device that he used to hack telephone systems in the early 1970s.

This first form of hacking was known as "Phone Phreaking". The blue box emitted tones that allowed a user to control the phone switches, thereby making long distance calls for free, or billing calls to someone else's phone number, etc. This is in fact the origin of a lot of the "ph" spelling in many hacker pseudonyms and hacker organizations.

By 1996, hacked accounts were called "phish", and by 1997 phish were actually being traded between hackers as a form of currency. People would routinely trade 10 working AOL phish for a piece of hacking software that they needed.

Over the years, phishing attacks grew from simply stealing AOL dialup accounts into a more sinister criminal enterprise. Phishing attacks now target users of online banking, payment services such as PayPal, and online e-commerce sites. Phishing attacks are growing quickly in number and sophistication. In fact, since August 2003, most major banks in the USA, the UK and Australia have been hit with phishing attacks.


Up next? What You Need to Know About Authentication






Click here for Identity Theft
Articles and Resources
.

Identity Theft Resource Center

My Photo
Name:
Location: Charlotte Amalie, St. Thomas, U.S. Virgin Islands

Powered by Blogger

Blogarama - The Blog Directory

Blog Flux Directory

Copyright © 2005,
Etienne A. Gibbs, MSW.
All rights reserved.

Contents maintained by
Etienne A. Gibbs,
The Master Blog Builder