Asia's Source for Enterprise Network Knowledge

Friday, April 18th, 2014

Information security management

Email authentication showdown - IP-based vs. signature-based, which one is best for you?

An important aspect of corporate email security architecture is its method of preventive countermeasures. These defenses are charged with thwarting a variety of threats from spam and phishing to malware like Trojans and rootkits. First-line countermeasures include message content inspection. This type of reactive system relies on signature engines and updated databases of known spam and phishing phrases. Additional prevention techniques employ domain filtering using blacklists and whitelists. More effective filters combine heuristic techniques with statistical analysis through Bayesian filters to analyze email based on collected content. However, these detection methods often fall short, relying on slow updates from limited data and resulting in unacceptable numbers of false positives. Furthermore, identity spoofing and domain hopping of malicious senders has weakened the effectiveness of these countermeasures.

Listen to Noah's tip

Download the author's email authentication advice to your PC or favorite mobile device.
In response, several types of email authentication technologies have been developed and implemented with varying results. Prevailing authentication methods categorically employ path-based or cryptography-based methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They rely on DNS records that identify trusted IP addresses for sender validation. This straightforward approach of verifying the message path from sender to recipient has been widely adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the dominant path-based methods in use today. While both of these techniques publish DNS policy records, they use them differently. SPF authentication compares the DNS record against the email's return-path address header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation method, in addition to authenticating the SPF record.

Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, the two companies most notably targeted by phishing attacks in recent years.