Forgery has perplexed and stymied human trust since writing and the use of paper became pervasive, particularly for financial transactions. One of the first prohibitions against forgery was when the Romans outlawed falsifying documents that transferred land to heirs. Over time the extent of forgery broadened to include tampering, counterfeiting, and misrepresentation. Illegitimate conveyances evolved into falsifying paper notes as well. For example, in England during the early 19th century, 1-pound notes were incredibly easy to replicate, which lead to the mass incarceration of approximately 100,000 people over a 7-year period. Laws continually developed to match the sophistication levels of those committing the forgery, though it was still difficult to identify incredibly convincing forgeries.
With the promulgation of technology, these issues increased a hundredfold. Where technology is meant to improve the quality of life and streamline certain processes, the continued concern of forgery or misrepresentation has denied more sensitive transactions the benefit of technology. Complex financial transactions or something as relatively straightforward as a house closing still rely on traditional methods of approval and confirmation. Certain banks warn consumers not to trust email communications sent from them or not to respond to phone calls where someone claims to be a representative from the bank. As a result, despite all the innovation that has occurred, the old models remain, meaning people still need to appear in person or by proxy for anything involving money transferring hands.
The problem continues even for less sensitive, but still incredibly critical, communications. Employees are now warned that, because of the sophistication of external technologies and techniques like phishing, not to click on certain emails or not to click on links within an email, even when those emails are purportedly from someone within their own company. This is compounded when an employee regularly receives communication from someone like a financial officer who has time constraints on closing a matter that involves money and expects the employee to diligently follow through on their requests. Sometimes the volume is such that it does not make sense for the financial officer to personally appear and make each request to the employee.
As a result, email authentication is used to prevent phishing, spoofing, spamming, and other forms of fraud. Because of the rising sophistication of these techniques, false senders were able to get passwords, account information, personally identifiable information, and financial information. False senders may also manipulate recipients to take certain actions, which could be harmful to themselves or others. Email authentication may help an internet service provider (ISP) properly identify the sender of an email and intercept or prevent these communications from going through. This practice is meant to simplify and automate the process of identifying a sender and is also supposed to improve the likelihood that a legitimate email goes to its intended recipient.
Three major forms of email authentication systems include the sender policy framework (SPF), the DomainKeys identified mail (DKIM) method, and the Domain-based Message Authentication, Reporting, and Conformance (DMARC) system. SPF cross-checks the domain in a sender's email against the published record the sender has registered in the Domain Name System (DNS). DKIM is a cryptographic, signature-based form of email authentication, where public/private key pairs are generated and checked against each other to ensure that the message was not altered and was from the original sender. DMARC mixes the SPF and DKIM systems, which allows an administrator to specify which mechanism is used when sending an email from their domain. DMARC does not directly address whether an email is spam or fraudulent. Instead, it requires that a message passes either DKIM or SPF validation as well as a process called alignment.
Despite these current solutions to email communication authentication, it is clear the solutions require extensive integration and technical understanding that may confuse and unnecessarily complicate an everyday email user. Organizations with complex systems may be able to educate employees or customers to these methods, but there is still a steep education curve involved as well as an implementation process. Further, some of these authentication processes still cannot indicate whether an email is fraudulent.