Announced Action for June 22, 2005

Authentication Web site: As part of its continuing efforts to assist the private market in the creation, testing, evaluation, and deployment of the anti-spam and anti-phishing technology known as “domain-level authentication,” the Federal Trade Commission has established a Web site where technologists can share the results of tests on various domain-level authentication standards. The site is located at https://secure.commentworks.com/FTC-EmailAuthenticationQuestionnaire/

Domain-level authentication would assist ISPs and other operators of e-mail servers by removing a spam- and phish-enabling flaw in the Internet protocol for e-mail, Simple Mail Transfer Protocol (“SMTP”). With SMTP, a spammer or phisher can falsify the “from” line appearing in an e-mail message. With domain-level authentication, an ISP or other operator of an e-mail server will be able to verify that a message actually comes from the domain appearing in the “from” address. For instance, with domain-level authentication, an ISP could verify that a message purporting to be from abc@ftc.gov actually came from an e-mail account located at ftc.gov.

In November 2004, the FTC and the Department of Commerce's National Institute for Standards and Technology ("NIST") held a two-day E-mail Authentication Summit, at which the proponents of five of the proposed domain-level authentication standards agreed to make their testing results public in order to assist in the evaluation of their standards. These five standards are the Internet Protocol ("IP")-based proposals "Sender ID" and Client SMTP Validation ("CSV"), and the cryptographic-based approaches Bounce Address Tag Validation ("BATV"), "DomainKeys" and Identified Internet Mail ("IIM"). The FTC’s new Web site provides a forum for the sharing of this testing data and contains several technologically-based questions that address issues such as the functionality, interoperability, scalability, and effectiveness of these standards. The proponents of these five standards and all other members of the public who are testing domain-level authentication standards are invited to submit their testing results to the FTC and to help identify domain-level authentication standards that aid the fight against spam and phishing, are inexpensive and simple to implement, and do not negatively impact the e-mail system. (Staff contact is Sana Coleman, 202-326-2249)