Spam and e-mail
Because of the growing amount of "forged" e-mail from spammers and phishers, a mechanism for authenticating the senders of messages is growing more desirable. Toward that end, technologies have been developed to provide a way to verify senders' identities. In this article, we take a look at the Sender Policy Framework (SPF), a platform-independent sender authentication technology, and we also discuss Microsoft's Sender ID, which is based on SPF (and which has been declared dead in the water by more than one industry pundit).i??? Then we look at where cryptographic solutions (digital signing) fit into the picture. The trouble with e-mail Don't hand out your real email account freely. This is especially important for a company's employees. Company email addresses should only be known to other employees and a few close family members, in case of emergency. Some companies publish a few employee email addresses on their email sender, but they really shouldn't as this invites spam as well as creative phishing scams. 82. Knowing how these authentication frameworks function is important, whether you're sending the newsletters from your own servers (in which case you should adhere to the guidelines) or using a third-party mailing list manager (in which case you should make sure they adhere to the guidelines.) First, a Word about DNS The authentication standards noted above are all dependent on information in the Domain Name System (DNS), the infrastructure that translates IP addresses to domain names. DNS records have been expanded so that domain owners can identify the specific mail servers authorized to send e-mail for their domain. The DK header can specify which other headers are signed and the email body is always included. The domain in the "From:" (or, in some cases, "Sender:") header must always match the domain in the DK header and that provides the linkage that verifies the sender. Because of the way the signature algorithm works, any modification to the signed parts will result in a signature mismatch -- this provides some email integrity protection. Domains and subdomains will maintain public keys as TXT records in their DNS entries. DK uses a standard section of a domain's DNS space to contain the public keys for that domain. In addition, a selector is specified in the DK header which can be used to restrict keys to specific organizations and to revoke keys periodically. To retrieve a key, one queries for the TXT record associated with email sender Regardless of the type of authentication being used, a surefire way to keep your messages from landing in a spam folder is make sure your servers and the servers of any e-mail service provider you're using has published its SPF, or Sender Policy Framework, records.