One of the biggest problems with e-mail is the complete lack of an inherent security model. Like the telephone, most people have come to take e-mail for granted; expecting that it simply works. Most e-mail users do not know how easy it is to forge almost every aspect of an e-mail message. We have all received spam that, when viewed in our e-mail client (Outlook, Entourage, Gmail, etc.) appears to have been sent to us, from us. How can this happen?

There is a common misconception amongst many in the e-mail security space that anti-fraud technologies like Sender Policy Framework (SPF), SenderID and Domain Keys Identified Mail (DKIM) are part and parcel anti-spam technologies. While it is true that anti-fraud/anti-forgery technologies have a nice side-effect of preventing some spam, this is not their main goal. In addition, by lumping these imporant technologies in as simply anti-spam misses the point and tends to dimish the importance of these technologies.

Protecting your domain from e-mail forgery is up to you; the owner of the domain. Does your domain publish a Sender Policy Framwork (SPF) record (http://www.openspf.org/)? If not, why? What are you waiting for? Is your inbound e-mail checked to see if the sender’s domain publishes a SPF record? If not, why? After all, if the sender’s domain administrator has elected to take domain forgery seriously, you should as well. Finally, are you recognizing DKIM (http://www.dkim.org/) signatures for inbound e-mail and is your e-mail server signing outbound e-mail?

In case you are wondering… Google, eBay, Yahoo, Cisco, and many other large companies are now on the DKIM bandwagon.

The following excerpt comes from MSNBC’s “The Red Tape Chronicles” :

[Let me begin by saying that you cannot make this stuff up!]

Friday: 10 Oct 2008
(http://redtape.msnbc.com/2008/10/att-customer-ca.html#posts)

AT&T reserves the right to change its terms of service by sending its Internet service customers an e-mail. Apparently, it also reserves the right to deposit those e-mails into its customers’ junk mail folders.

Last month, AT&T made some controversial changes to its Internet policies. Verbiage indicating that high-bandwidth users might experience some intentional slowdowns irritated some techies; another section that forces customers to use binding arbitration to resolve disputes annoyed consumer organizations; and an L.A. Times reporter bristled at the size of the full new agreement — 2,500 pages.

But Lance Mead, an AT&T Internet customer from Encino, Calif., almost missed the entire controversy. His notification of the new terms of service was sent via e-mail on Sept. 18, but AT&T’s own spam filters trapped the e-mail as spam and deposited it in his junk mail folder, he said. On a whim, he checked the folder and spotted the notice. He was furious.

Someone — anyone — please tell me how this is not proof positive the entire premise behind e-mail spam filtering is seriously flawed? I completely understand that mistakes happen. However, these “mistakes” are also considered “false positives.” In the “e-mail game” it is the false-positives that cost business real money. Is it really the end of the world if 5% to 10% of the e-mail received in your inbox is spam? Probably not. It is unnecessary, annoying, and unproductive to be forced to wade through spam, but missing an important e-mail thanks to the flawed concept of filters, a.k.a. guessing machines, should be considered absolutely unacceptable.