Email sender authentication from the user's perspective

In a mid-2003 cover story I first wrote about emerging initiatives to bring accountability to the realm of email. In 2004 I updated that story with a discussion of two different (but in theory complementary) approaches to authentication of email senders: SPF and DomainKeys. Recently eWeek's Larry Seltzer cited this dismissive analysis by John Levine, and agreed with John that these schemes can't work.

Maybe so. Or maybe there really is daylight ahead. Either way, though, I've seen little generally-accessible analysis of the experiments currently underway. Let's look at them from the user's point of view.

DomainKeys

Both Gmail and Yahoo are testing DomainKeys. My outbound messages from Gmail, for example, are signed with Gmail's private key. That means recipients can obtain Gmail's public key from Gmail's DNS server and use it to verify that signature. From my perspective as a Gmail user that's just an abstraction, there's nothing to see or touch. But when I receive a message from a Yahoo user, the Gmail user interface does (very subtly) show the result of the verification check. If you're a Gmail user, you can see this in action by searching for a message from a Yahoo correspondent, then clicking Show options. If the message came directly from Yahoo you should see: Signed-By: yahoo.com. And if you drill down into Show original you'll see this header:

DomainKey-Status: good (test mode)
When I search my Gmail inbox for messages from yahoo.com, it also finds some that lack this indicator, and that bear no DomainKey-Status header. That's because they didn't, in fact, come directly from Yahoo. Messages sent from Yahoo users to me by way of my blog's email form, for example, are actually sent by userland.com, not yahoo.com, so they're not signed. The same is true for spam messages claiming to come from yahoo.com but really originating elsewhere.

I think this makes sense. The absence of a positive result is not a certain indication of malice. But the presence of a positive result does give me useful feedback. I know something about the provenance of the message I received that I otherwise wouldn't.

SPF

It's much harder for me to interpret what Gmail is doing with SPF, a protocol in which the receiving mail server checks the sender's purported domain to see if its DNS server blesses the sender's IP address. From a user's perspective, the visible outcome is a red warning that reads: This message may not be from whom it claims to be. This warning is often attached to phishing attempts, so to gather some samples, I searched my Gmail inbox for:

in:spam ((amazon OR chase OR paypal) AND account)

Here's an illustration of the rather bewildering variation in SPF headers and outcomes that I'm seeing in that result set:

From: Subject: Received-SPF: Gmail warning?
Gmail DOES WARN about phishing
Chase Credit Cards <chase@email.chase.com> Your Chase Credit Card fail (gmail.com: domain of chase@email.chase.com does not designate 199.125.85.152 as permitted sender) Yes
"PayPal Inc."<service@paypal.com> PayPal Confirm Message ! softfail (gmail.com: domain of transitioning service@paypal.com does not designate 199.125.85.152 as permitted sender) Yes
amazon@amazon.com <amazon@amazon.com> Please Update Your Amazon Account!!! neutral (gmail.com: 199.125.85.152 is neither permitted nor denied by best guess record for domain of rey@echobase.echobase) Yes
Gmail DOES NOT WARN about phishing
"Buy.com" <Tech_Offers@enews.buy.com> New Seagate 300GB USB 2.0 Hard Drive softfail (gmail.com: domain of transitioning BUY.COM_Tech_Offers@enews.buy.com does not designate 199.125.85.152 as permitted sender) No
"service@paypal.com" <service@paypal.us> your account will be suspended neutral (gmail.com: 199.125.85.152 is neither permitted nor denied by domain of paypal.us=service@srs.perfora.net) No

Conclusions

The standards are moving forward, as standards do. DomainKeys, for example, seems to be morphing into DomainKeys Identified Mail (DKIM). But what about the experiments already in progress, and the trial outcomes already visible to email users? I'd like to know more about where we stand now, but the information isn't easy to come by.

I'm not sure it's time to throw in the towel. It sure would be nice, though, if the experimenters wrote up their lab reports. It'd be even nicer if they linked to the relevant sections of those reports from the sender-authentication-related parts of their user interfaces.


Former URL: http://weblog.infoworld.com/udell/2006/01/17.html#a1372