E-mail Authentication Implementation Summit 2005?

Paul F. Roberts has written a more detailed account of
this meeting here:


Worth a read if you are interested.

- ferg

  Does anyone know if any of these presentations are available anywhere?

Eric would have to point to his presentation, but you can find the
internet drafts at the following:

   "DomainKeys Identified Mail (DKIM)", Eric Allman, 12-Jul-05,

   "DKIM Sender Signing Policy", Eric Allman, 12-Jul-05,

   "Sender ID: Authenticating E-Mail", Jim Lyon, Meng Weng Wong,

   "Purported Responsible Address in E-Mail Messages", Jim Lyon,

While the event was focused upon advocating the use of Sender-ID now, and DKIM later, there was some information made available regarding Sender-ID not normally heard. I raised a question again in the smaller technical break-out about reputation protection on shared servers (made at the FTC presentation, the Open Source presentation in Boston, the MAAWG in San Diego, and now again at this forum in New York). In essence, the answer following the technical presentation by Harry and Meng was that no technology is perfect. I wish to commend Esther Dyson for asking the question again at the next two panels during the full session.

The first was an executive round table concerning eCommerce and Marketing. She asked how they dealt with the shared server issue. There was acknowledgment of the reputation concern and that they were migrating clients to ensure each had unique outbound IP addresses. Finally an answer. Esther also continued this point at the next panel concerning DKIM by asking whether DKIM was also a solution for the shared server problem. Of course the answer was yes.

While Sender-ID may be readily available today, so is DomainKeys where DKIM is upwardly compatible. DKIM solves some of the issues which hampered the DomainKeys deployment when support calls were generated by those asking about the Sender header added to the message. DKIM no longer requires the signer be bound to either the Sender or From header.

Sender-ID does not have a solution for the sender that addresses the forwarded account problem, and many recipients are not honoring the '~' or '?' syntax that attempts to mitigate this problem. This syntax is exploited by abusers, which causes some to not accept mail resulting in either 'neutral' or 'soft-fail.' Again, DomainKeys and DKIM offer a solution for forwarding accounts, and the shared server problem.

There was a chart indicating 2.7% of the domains publish SPF records, with much of this by spammers. Only by including reputation, will email authentication provide relief from abuse. It was also pointed out that Hotmail only makes the Resent-From header visible when there was a validation failure, which leaves consumers still vulnerable to phishing exploits. Of course, normal email clients will also expose consumers to phishing even with Sender-ID validation.