Email Authentication

From EggeWiki

The battle against email spam has long been an interest of mine. Recently, I've had a couple of situations making me look into the current state of spam detection and avoidance. Specifially:

  • ThoughtWorks contracted MessageLabs to filter all inbound email. More and more companies are setting up spam filters, but fewer companies and looking into how to prevent their own email from getting filtered.
  • A new project at an Australian Bank is sending email to clients. Nothing has been done to see how we can send email and help reduce phishing, or how customers can verify that an email was actually send by the bank. I won't say which bank, but I will say it's not HSBC.

There are several technologies which help spam filters fitler spam. This includes DomainsKeys, Sender Policy Framework(SPF), and Sender ID. SPF is probably the easiest to implement, so I thought I'd check to see which major banks are using it. Here's the results:

Major US Commercial Banks
Name Has an SPF record
Bank of America Corp. Yes
Citigroup Yes
Chase Yes
National City Corp No
JPMorgan Yes
Wachovia Yes
Wells Fargo Yes
US Bank Yes
SunTrust Banks No

Major Australian Commercial Banks
Name Has an SPF record
Commonwealth Bank No
HSBC Australia Yes
Macquarie No
National Australia Bank No
WestPac No
St. George No

Select 'technology' companies
Name Has an SPF record
Apple Yes
Yahoo! No
Google Yes
ThoughtWorks No
Microsoft Yes
Message Labs No
O'Reilly Media Yes
Accenture Yes
Electronic Data Systems No

These checks were performed on July 13, 2007


  3. Setup SPF on Godaddy
  4. SRA Working Group E-Mail Security