Industry group gives government a failing grade in e-mail authentication

Fewer than half of government agencies examined in a recent study by the Online Trust Alliance (OTA) are using authentication technology to protect against e-mail fraud and phishing.

E-mail authentication technology, usually transparent to the end user, lets servers verify that e-mail traffic is indeed coming from the domain or sender that it purports to be from, and that the sender is authorized to use that domain. The OTA study showed that only 11 of 25 government domains examined use such authentication. A similar study of top commercial sites showed that the private sector is doing a little better, with 55 percent using some form of e-mail authentication.

“It is incomprehensible that in this period of escalating online scams and diminishing consumer confidence these agencies and businesses continue to sit on the sidelines,” said OTA Chairman Craig Spiezle.

Because the addresses of an e-mail sender can be easily spoofed, the address of a supposedly trusted source can be used to get a message through spam filters and to lure victims to dangerous Web sites where malicious code can be downloaded to a computer or confidential information gathered that could lead to ID theft.

Such attacks not only harm the victim whose data is stolen, but also damage the reputation of the agency or business whose domain is being exploited. These issues are becoming increasingly important as businesses do more business online and government is looking for more ways to provide online services to citizens.

Available authentication tools include Sender Policy Framework or Sender ID, an open standard that allows the user to verify that the reputed sender is authorized to use the sender’s domain, based on policy information published by the domain’s owner. Domain Key Identified Mail is an authentication scheme in which e-mail is digitally signed by the outgoing server using PKI. This lets a receiving server verify that it actually came from the source it claims to. Both of these schemes are carried out without the intervention of the user sending or receiving the e-mail.

Among agencies using some form of e-mail authentication are the Census Bureau, the CIA, the Federal Deposit Insurance Corp., the Federal Trade Commission, the IRS and the Social Security Administration.

Those without some authentication include the Homeland Security Department, the FBI, the Secret Service and the White House.

OTA based its study on public DNS records of the domains, as well as an examination of more than 20 million e-mails purporting to have come from those domains. Criteria for the top 25 government agencies included past incidences of phishing and spoofing of the e-mail addresses, volume of site traffic and the potential for exploiting financial or personal data.

OTA is a nonprofit industry organization promoting the adoption of authentication technology to combat online crime and fraud. Members include companies engaged in online commerce, such as Bank of America, and IT vendors such as GoodMail Systems, Cisco Systems, Microsoft Corp., Symantec Corp. and VeriSign.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • power grid (elxeneize/

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Wed, Apr 15, 2009 Anonymous Computer Scientist

This is a poorly researched newspaper article. It reads like a press release from a consortium that has a commercial interest in the issue and is using GCN to get coverage. There are good reasons not to use SPF. Despite the OTA chairman's hyperventilating, failure to use SPF is not a serious breach. When OTA Chairman Spiezle says "It is incomprehensible that" agencies have not deployed SPF, I think that tells us as much about his level of comprehension as it tells us about those agencies.

Tue, Apr 14, 2009 Andrew Goss

You really hit the nail on the head, Ken. While much progress has been made with email authentication, much more needs to be done. OTA is curently crunching Fortune 500 authentication adoption numbers as we speak and will unveil those at the upcoming OTA Town Hall Forum at San Francisco's Palace Hotel on April 23rd. At that forum, OTA will also reveal what companies and institutions can be doing as best practices. More information on the upcoming Town Hall can be found at Sincerely, Andrew Goss on behalf of OTA

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group