What's the difference between "challenge-response" and "sender verification," or "sender verification" and "sender authentication?"
Several readers have asked us that, given the topics we have covered in Ezine-Tips in recent days.
Although the definitions seem to be changing almost every day, and my definitions might vary from someone else's, here are three ways to understand these terms, all of which describe new fronts in the battle against unsolicited commercial email:
This is the general term for an email-control system that requires senders to respond to a challenge in order to have their emails delivered.
Typically, it issues a "challenge" via an automated message back to the sender, telling the sender it must respond to that message before its emails will be passed through. It does this whenever it receives an email from a sender who's not on the "whitelist," or list of approved addresses.
Most, such as Spam Arrest, Mailwasher, Matador or MailBlocks, require the sender to visit a Web site set up to display a unique feature, such as a word, a number or a picture, and to answer the challenge correctly. If the sender does, the system adds the sender's email address to a whitelist and waves all emails through after that, unless the recipient decides to block them.
A challenge-response system usually quarantines the sender's email address until it gets the right ping from the unique URL that goes out in the automated message. You shouldn't have to resend a message, although some publishers have told me their emails still don't go through.
Challenge-response assumes that bulk-email programs can't respond individually to the challenges, and someone sending out millions of spam emails won't bother.
Challenge-response poses its own challenges to email publishers, both technical and philosophical. You can read one email publisher's response to this trend in spam-fighting in a previous Ezine-Tip, and find more in our archives:
"The Challenge of Challenge-Response"
Although this can be as simple as requiring you to visit a Web site and type in your sending address, verification more often is something that happens as soon as your email hits your recipient's mail server.
The server reviews all the information in your email headers (the routing and ID information at the top of each email message) and looks for anything questionable, such as addresses that don't match, domain names that it can't verify or other inconsistencies.
This term, also called "trusted sender" or "certified sender," refers to programs that you initiate, instead of your recipient's mail server. Some of these install a code in your email headers or register your sending address so that a recipient ISP will recognize it and pass it through without throwing out a roadblock.
This process requires a network of ISPs that agree to recognize the header code or address. However, its proponents argue that authenticating senders at the server level, without using challenges or requiring recipients to set up their own filter systems, is the only reliable way to stop spam.
A variation on this is the "bonded sender" program, which charges senders a bond, or flat fee, and deducts an amount each time the sender's mailings generate a spam complaint.
Two companies that have gone down the sender-authentication route are Habeas, which inserts a copyrighted haiku into the sender's email headers, and IronPort, which pioneered the bonded-sender idea in email
The new initiative Project Lumos also promotes the idea of sender authentication and accountability; read more about it here:
"The Future is ... Accountability?"