Agility Loop

Today in GCN, there is an article entitled Industry group gives government a failing grade in e-mail authentication — Government Computer News.  The main thrust of the article is detailing how most Government domains do not support any type of email domain authentication such as Sender ID or DomainKeys.

E-mail authentication technology, usually transparent to the end user, lets servers verify that e-mail traffic is indeed coming from the domain or sender that it purports to be from, and that the sender is authorized to use that domain. The OTA study showed that only 11 of 25 government domains examined use such authentication. A similar study of top commercial sites showed that the private sector is doing a little better, with 55 percent using some form of e-mail authentication.

To be fair, the private sector isn’t doing so great either at 55%.

What I find particularly ironic is that much of the government is ahead on PKI and other security technologies.  It seems like this would be a pretty easy solution to combat spam and phishing attacks.  I know in the past we have discuss using simple SMTP over SSL.  This would at least buy security of SMTP mail transfer, and authentication of domains (although it would be difficult to use with external email domains).  However, technology like DomainKeys (which Yahoo uses) is a more versatile solution than SMTP over SSL.  Hell it’s even open source, so costs COULD be minimal.