If you and I have ever talked on the topic of authentication, then I know you’ve heard me talk about how I think you should authenticate now, even though not many ISPs are currently doing very much with that data. What you’re doing, I’ve explained, is setting the stage so that ISPs have authentication data at their fingertips, WHEN they decide to do more with authentication, down the road.
Just about any ISP of significant size is going to do something with authentication data, eventually. It takes time, but slowly, ISPs are starting to look at authentication data. Hotmail looks for Sender ID or SPF records. Yahoo requires DomainKeys for feedback loop participation.
And now, Gmail’s starting to utilize authentication in a new, and very significant, way. Last week, Gmail announced that they are working with eBay and Paypal to help combat phishing and spoofing. They’ll be rejecting messages that purport to be from eBay or Paypal, if those messages are not properly signed with DomainKeys Identified Mail (DKIM).
Google’s Brad Taylor explains: “Now any email that claims to come from "paypal.com" or "ebay.com" (and their international versions) is authenticated by Gmail and -- here comes the important part -- rejected if it fails to verify as actually coming from PayPal or eBay. That's right: you won't even see the phishing message in your spam folder. Gmail just won't accept it at all. Conversely, if you get a message in Gmail where the "From" says "@paypal.com" or "@ebay.com," then you'll know it actually came from PayPal or eBay.”
This is great news for Gmail users, as it helps keep certain types of phishing and spoof emails away from them. What you do not receive, you cannot fall victim to.
But, this means quite a bit to you and I, as well. This signifies a huge step forward in how receiving sites are using authentication to make a determination as to whether or not to accept or reject mail. Today, it’s individual agreements with eBay and Paypal. Tomorrow, who knows.
I can guess, though. And my guess is that eventually, Gmail
will expand their use of DKIM, and other ISPs will follow suit. There will come
a time when unauthenticated mail will be subject to much stronger spam
filtering, or will be much more likely to be rejected.
That’s why it’s important for you to give ISPs the important data they need to tell good mail from bad mail. Email authentication is an important part of that process.
