E-mail sender authentication: It works but doesn't stop spam

A growing number of companies are using e-mail authentication protocols to help verify the Internet domain in an e-mail sender's address, but that is not keeping spam out of mailboxes.

Those are among the findings in an analysis of millions of e-mails by CipherTrust Inc. of Alpharetta, Ga.

The study focused on the effectiveness of Sender Policy Framework, a protocol supported by CipherTrust's IronMail e-mail security appliance.

SPF is effective in identifying spoofed e-mail addresses, but if spammers publish SPF records with legitimate domains, their spam is passed through the system.

And spammers appear to be among the early adopters of SPF.

'According to CipherTrust research, 34 percent more spam is passing SPF checks than legitimate e-mail,' the study found.

SPF allows a domain-holder, either an enterprise or individual, to publish a list of IP addresses from which e-mail can legitimately be sent from that domain. Servers receiving e-mail can check the published list to see if the sender's address is good. If the address does not appear on the domain's SPF list, it has been spoofed and can be rejected.

The technology still is in the early stages of deployment. A CipherTrust survey of Fortune 1,000 companies in April found only 11 had published SPF records to enable their e-mail to be authenticated. In August, that number had climbed to 31.

A new contender in authentication is the Sender ID Framework, a combination of Microsoft Corp.'s proposed Caller ID for E-mail protocol and SPF, along with a specification called Submitter Optimization.

CipherTrust conducted its study on messages collected from more than 1,000 customers using its IronMail appliance between May and August. Although relatively few domains have published SPF records, nearly 5 percent of e-mail messages identified as spam came from domains using SPF. Of those, 1.3 percent had been spoofed, and 3.6 percent were genuine, indicating that spammers are publishing SPF records at a higher rate than noncommercial e-mailers.

The use of authentication protocols could help fight fraud. It will not necessarily stop spam, but it could help to keep the spammers honest.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected