Closing email's 40-year trust gap
Closing email's 40-year trust gap

Opening an email message is often an exercise in trust. Do you know that the person or company whose name appears in the From field really sent that message? Are you sure? Is it safe to open any attachments or to click on links in the message?

For most of the time email has existed, the answer has been “No.” We just take it on faith that the sender's name and email address are legitimate and that they aren't trying to send us malware.

That's because, when the wizards who created the Internet first set up email's basic protocols, they balanced costs in computing power, implementation, and ease of use versus the risk of fraud. At the time, it was nearly inconceivable that 80 percent of all email would be malware, phish or spam. So they didn't include any provisions for authenticating the sender of an email.

That's led to a rash of phishing attacks aimed at getting employees or customers to click on malicious links, send W-2s and employee data to scammers, or wire funds into criminals' accounts. Just ask the people who received what looked like an email from the Kennedy School of Government at Harvard University, but which really came from Russian hackers --and which contained a PDF loaded with malware. Or the employees at Medstar Health in Washington DC, who received an email asking them to click on what seemed to be an innocuous link or PDF attachment, but was actually a virus that brought the entire system to its knees. It was a costly and dangerous mistake revealed the deep vulnerabilities facing our national email and internet infrastructure today.

The good news is the situation is beginning to change for the better, thanks to a movement toward email authentication led by the major ISPs (Google, Yahoo, AOL and Microsoft.) These companies and many others have recently converged around a set of email authentication standards called DMARC (Domain-based Message Authentication, Reporting, and Conformance.) It's the keystone global standard, integrating two older authentication standards and aligning them in a way that makes it possible to authenticate the identity of an email sender easily, reliably, and quickly.

Word is spreading fast, even among the non-technical crowd, and increasingly, there are also good free tools that can quickly tell you if your domains and external services are authenticating properly.

If this all sounds a bit familiar, it should. In the late 1990s, ecommerce companies faced a similar “original sin” with the Internet's basic lack of encryption. Users were increasingly reluctant to use their credit cards online since they were being stolen in massive numbers. A coalition of banks, credit card companies and retailers, worried the nascent ecommerce surge would be hurt, decided to act. Credit card transactions over unencrypted, plain-text Web connections had to stop. But getting encrypted SSL connections to work meant getting a digital certificate and learning how to configure it properly, which was a daunting prospect for many 1990's retail companies.

VeriSign stepped into this gap with an easy-to-use digital certificate authority and an array of related services. This allowed banks and Visa to enforce the use of Secure Socket Layer certificates (SSL certs). What happened next is now well-known: Thanks to SSL, the e-commerce revolution was able to blossom, boosting the economy and leading to myriad new industries.

With DMARC eliminating the lack of trust in the From field, we are about to see a similar transformation of email-based communications and commerce. Phishing attacks that spoof domain names will be stopped cold, because no unauthorized parties will be able use those domains to send fraudulent emails that look like they come from someone else. Government agencies and companies will gain better control of their messaging systems, and will be able to designate which partners and vendors are allowed to send email on their behalf. And their IT teams will get detailed reports on who is actually sending email and who is attempting to send spoofed messages.

Now it's up to government and industry to act quickly to adopt these standards. The sooner we are able to regain trust in email, the sooner all of us—citizens, consumers and employees alike--will again enjoy the benefits of this amazing invention.


Alexander García-Tobar is the co-founder and CEO of ValiMail, a San Francisco-based email authentication tech company.