In the first test of Yahoo's e-mail authentication technology, e-mail system provider Sendmail found the cryptographic system would cost less to deploy than some have thought.
Sendmail found in initial benchmark testing of the DomainKeys mail filter that performance was “well within expected norms.” The process required 7.8 percent more computer-processing power on outbound e-mail. Sendmail said that would make DomainKeys 10 times less cumbersome than typical spam filters. Sendmail's testing team found their servers using DomainKeys could deliver more than 100 pieces of mail per second.
Greg Olson, executive vice president of development at Sendmail, said the tests, though still early, showed that DomainKeys holds real promise as a robust, cost-efficient method of establishing a secure identity of e-mail messages.
“My view is that's a small cost to pay for the improved security,” he said. “I think it's a strong competitor for e-mail authentication.”
Sendmail, Emeryville, CA, which makes open source e-mail delivery systems, began testing e-mail authentication technologies in March. Sendmail is testing DomainKeys and Sender ID, the combined Microsoft and Sender Policy Framework standard. The tests evaluate e-mail authentication solutions for their effect on user experience, ease of implementation and security.
“We need real-world data about how well both of them are working,” said Miles Libbey, anti-spam product manager at Yahoo.
DomainKeys is a public-private encryption system that assigns e-mail messages a digital signature in the header containing a private key. Receivers would match up the private key with a public key each Internet domain would register with the Internet's Domain Name System. The receiving servers match up the two keys to determine whether an incoming message is valid and whether the content has been changed.
Sender ID is the combined standard of Microsoft's authentication protocol and Meng Wong's open-source SPF technology. Sender ID is thought to be easier to implement, because it only requires senders to register their servers in their domain name records. DomainKeys, however, is thought of as the more sophisticated solution because it authenticates the entire message, not just the sender.
“It's good news,” Meng Wong said of the Sendmail test. “It means crypto solutions won't be as expensive as we'd feared.”
The test also found DomainKeys used 15.2 percent more processing power for inbound messages, which Olson said would be similar for Sender ID because both need to check Domain Name System records.
The need for e-mail authentication systems has risen along with the influx of so-called phishing scams, where scammers send messages made to look like they are from financial institutions to obtain passwords and banking information. Thanks to a flaw in the current e-mail architecture, e-mail from addresses can be changed easily. A May report by researcher Gartner Group estimated phishing attacks cost U.S. businesses $1.2 billion last year.
“Phishing is out of control,” Olson said. “This can shut that down right away.”
The extent of the problem has spurred some cooperation. In June, Yahoo joined Microsoft, AOL and EarthLink in an agreement to test both e-mail authentication technologies, though the ISPs did not commit to implementation of either of the dominant proposals or provide a roadmap for a single standard.
Sender ID has gained momentum as a near-term authentication protocol. More than 19,000 domains now publish SPF records and about 20 e-mail sending products support it, according to Wong. The Direct Marketing Association plans an online seminar Aug. 18-19 to instruct members about how to comply with the standard. The E-mail Service Provider Coalition and Microsoft are holding a meeting in Redmond, WA, today to educate commercial e-mailers about Sender ID. More than 100 participants are expected.
Libbey said Yahoo's focus would remain on testing and developing DomainKeys, which it plans to implement by the end of the year. He objects to the notion that the implementation of DomainKeys should come after Sender ID, since only real-world use of both will reveal their strengths and weaknesses.
“This test shows we can add strong authentication solutions to e-mail, like DomainKeys, and have minimal impact to the scalability of the system,” he said.
Both Sender ID and DomainKeys are under review by the Internet Engineering Task Force, the standards body for the Internet. Last week, Yahoo met with the task force in the first step toward forming a working group that will evaluate DomainKeys as a potential industry standard and suggest changes to the specification. Yahoo also has released an open-source, royalty-free add-on of DomainKeys for mail transfer agents at domainkeys.sourceforge.net.
