Email authentication showdown: IP-based vs. signature-based

Listen to Noah's tip Download the author's email authentication advice to your PC or favorite mobile device.

In response, several types of email authentication technologies have been developed and implemented with varying results. Prevailing authentication methods categorically employ path-based or cryptography-based methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They rely on DNS records that identify trusted IP addresses for sender validation. This straightforward approach of verifying the message path from sender to recipient has been widely adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the dominant path-based methods in use today. While both of these techniques publish DNS policy records, they use them differently. SPF authentication compares the DNS record against the email's return-path address header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation method, in addition to authenticating the SPF record.

Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, the two companies most notably targeted by phishing attacks in recent years.

For more information: In this expert Q&A, security threats expert Ed Skoudis unveils why antispam filters alone cannot solve the image spam problem. Application security expert Michael Cobb discusses the pros and cons of outsourcing email security services. In this monthly Downloads column, contributing editor Scott Sidel examines Clam AntiVirus, an antivirus toolkit specializing in email scanning on mail gateways.

While both IP-based and signature-based systems rely on the DNS infrastructure, they fundamentally differ in their focus of email analysis. Path-based systems examine where the message originated; while cryptographic methods look at who sent the message.

The corporate implementation of these two different authentication methods has revealed their situational strengths and weaknesses. The advantages of using a path-based approach include easy implementation and rapid deployment, without the cryptographic related impact on server performance. Therefore, path-based systems may be beneficial to companies looking to expedite a simple system with minimal resource constraints. However, signature-based standards have the added value of providing message integrity and greater resistance to mail forwarding limitations. Digitally-signed mail is best utilized as a robust solution for corporate protection of email containing intellectual property and other critically sensitive business information. Finally, it is important to note that these differing authentication solutions can work in tandem -- several IP/signature combination systems are presently being evaluated with promising results.

A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when determining proper requirements and resources for implementing an effective email security strategy. Since the protocols and standards for authentication will ultimately change with emerging threats, it's important to adopt authentication technologies with backwards compatibility and scalability. It is necessary to remember that authentication plays only one role in email security, and must be combined with reputation scoring systems for establishing and updating acceptance and rejection thresholds. Regardless of what email authentication method is employed, their true effectiveness will be ultimately determined by what prevails as an accepted global standard.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Email Security Guidelines, Encryption and Appliances,   Email Protection,   PKI and Digital Certificates,   User Authentication Services,   Enterprise Identity and Access Management,   Messaging Security School,   Email Security Best Practices: Tools, Systems and Threats,   Secure email encryption and authentication,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware When BIOS updates become malware attacks Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision PKI and Digital Certificates Best Authentication Products DoD urges less network anonymity, more PKI use Researchers to demonstrate new EV SSL man-in-the-middle hacks Portable security storage device could replace OTP devices What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation PKI and Digital Certificates Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.