Sender Reputation: A Roadside Rescue for E-mail

Direct marketers have always valued e-mail for its low cost and easy adaptability. It can be personalized to the degree that they—and their customers—wish. Its delivery and open rates can be checked and benchmarked. It’s intimate, efficient and convenient.

And for all those reasons, it had an immediate appeal for the spammers.

The spam problem got so bad so fast that the public learned quickly to be suspicious of e-mail coming from unknown sources. (So much for using it as a legitimate vehicle to acquire new customers.) In response to industry and government pressure, spammers learned to hide the true origins of their messages, making themselves hard to find.

And technologists developed authentication protocols to verify that e-mail was indeed from the sender address it displayed. If a message didn’t authenticate properly, it could be assumed to be spam.

The only problem is that spammers themselves are complying with e-mail authentication. The protocols are cutting back on spoofed e-mail addresses and “phishing”, in which an e-mail impersonates an official message from sources consumers may trust, such as their service provider. But in terms of stopping the overall tide of junk mail, authentication can’t get the job done.

So the verdict is in: Authentication has failed. The spammers have taken up the technology and, as they have done so many times in the past, are using our weapons against us. In fact, spammers have adopted authentication at greater rate than legitimate mailers, indicating that, in fact, authentication has failed.

Or maybe not.

While many observers of the e-mail industry have officially pronounced authentication as a disappointment, let’s take a step back and consider authentication in a different light. Imagine that authentication is a licensing system, much like we see in the world of automobiles.

Suppose that one day, a government agency should come out and pronounce that, in an effort to keep the worst drivers off the road, drivers are required to register their name with the agency, get a license plate and attach the license plate to their automobile. The agency goes on to establish that drivers who comply with this government requirement will be afforded access to a fast lane for licensed cars only.

Because of the requirement and the associated benefits, 90% of the drivers, both good and bad, have licensed their automobiles. Many observers complain, however, that all we have from this licensing system is a system that tells us what specific driver is allowed to drive a car. Six months go by; the bad drivers are still on the road, and law enforcement is not any better equipped to stop them.

Then one day things start to change.

Having convinced drivers to license their automobiles, the government agency responsible for the program starts correlating cars with their owners, and with those owners’ driving performance. Now law enforcement can use the licensing system, once embraced by bad drivers for its privileges, to identify bad drivers’ cars, pull them over, issue tickets, raise their insurance rates or revoke their right to drive entirely. And good drivers everywhere rejoice.

Implementing current e-mail authentication solutions such as Sender Policy Framework, Sender-ID, and Domain Keys is like putting license plates on cars without correlating any other information. All we know from authenticated e-mail today is that the IP address responsible for the e-mail is allowed to send for a given domain. In the same way that a license plate tells us nothing about the quality of the driver, just who owns the car, e-mail authentication tells us nothing about the quality of the e-mail, just who sent it.

But one day things will start to change.

Moving forward, ISPs and recipients will start to judge senders on their “driving records”, known, known as sender reputations. These will be based upon a sender’s past performance. For senders distributing spam or abusing permission, their reputations scores will suffer, and this will allow the “information-superhighway patrol” to identify and apprehend the bad actors.

The foundation for a successful e-mail-reputation system is, of course, the ability to tie a reputation to a given sender. The e-mail authentication system we are adopting today will serve as the way ISPs and recipients correlate reputation to a sender tomorrow. If we can positively say that the purported sender of an e-mail is, in fact, who they say they are, we can, in turn, tie a reputation to that sender. If we know the reputation of a sender, ISPs and recipients can identify e-mail from known spammers, block it, and once again take control of their inbox.

And e-mail users everywhere can rejoice.

Quinn Jalli is director of privacy and ISP solutions for Digital Impact, a digital marketing solutions company.