The Federal Trade Commission is asking for public comment on its interpretation of the CAN-SPAM Act, the landmark Federal law that defines the limits of acceptable commercial email and spells out tough penalties for spammers. This is an opportunity for the FTC to help fix a longstanding flaw in email and speed up the day when we can finally trust email.
While the act itself can’t be changed (it’s a Federal law) the FTC does have to interpret the law and enforce it. To that end, the agency published a set of guidelines (known as the CAN-SPAM Rule) that it’s been using, and occasionally updating, since the act itself passed in 2003.
It’s a great time to review those rules and incorporate some of the advances in technology we’ve seen since them. That’s why we support the Online Trust Alliance’s suggestions to the FTC, which call for some adjustments that would greatly increase the amount of trust people could invest in their email.
The technology that can help
When the CAN-SPAM Act first passed, spam was a pernicious problem that the Internet community had only started to get a handle on.
A lot has changed since then, as the OTA notes. For instance, content filters have become immensely more sophisticated and effective, while receiving servers have learned to use sender reputations to quarantine the worst offenders while greenlighting the good actors.
We’ve also seen the introduction of email authentication standards aimed at stemming the tide of spam and phish by making senders more accountable for the emails they transmit: Sender Policy Framework (SPF) has been in development since 2003 and in wide use since 2006; DomainKeys Identified Mail (DKIM) since 2004; and Domain-based Message Authentication, Reporting, and Conformance (DMARC) since 2012. With these standards in place, it’s now possible for senders to identify themselves positively and reliably.
Email authentication opens up some interesting possibilities for battling spam. Given the widespread use of authentication among email receivers, these standards are now effective tools for ensuring compliance with the CAN-SPAM Act's requirement that businesses not use false or misleading header information. Businesses that implement DMARC with a policy of p=reject or p=quarantine can help protect themselves against CAN-SPAM violations by ensuring that their domains are not misused by unauthorized third parties.
As the use of email authentication increases even further, email service providers will be able to use authentication in making delivery decisions for inbound mail. If a message is sent from a known, trusted, and authenticated sender, it’s far less likely to be spam than something coming from an unknown and unauthenticated sender. Right now, the implementation of email authentication by enterprises is growing, but isn’t yet widespread enough for ESPs to give this criterion a lot of weight. But as usage of DMARC by enterprises grows, the day is coming when that will change.
It’s not the FTC’s place to recommend specific technologies to the masses, but its rule could certainly recognize the value of email authentication and its usefulness in establishing the identity of senders (something that CAN-SPAM does address). For instance, it could add a section on email authentication to its CAN-SPAM compliance guidelines for businesses.
This one clarification could change everything
Related to this is the fact that email messages carry a variety of headers that can be analyzed to indicate where a message originates: From, Reply-to, Return-Path, and DKIM-Signature.
While the CAN-SPAM Act refers to the "from" line, industry practice (via the SPF and DKIM standards) allows senders to identify themselves via Return-Path and DKIM-Signature fields.
The FTC should add a definition to clarify that the "from" line mentioned in the CAN-SPAM Act should be interpreted to refer only to the From field that is visible to the end user, not the Reply-to or Return-Path fields. (Technically, this is the RFC5322.From field.)
Here's the relevant text from the Act:
(B) a ``from'' line (the line identifying or purporting to identify a person initiating the message) that accurately identifies any person who initiated the message shall not be considered materially false or materially misleading
As the OTA wrote in its letter, “we recommend that the definition of ‘From’ in the Rule be specified as the ‘From’ that is presented to the user in their email client.”
Doing so would clear the path for the FTC to enforce CAN-SPAM violations that involve impersonators who put one address in Reply-to or Return-Path, but another one in the From field. Sound outlandish? That’s exactly what many phishers do when trying to trick recipients into downloading malware or giving over account credentials.
In short, we’re a huge fan of the CAN-SPAM Act, as it’s done an enormous amount to help clean up the email ecosystem over the past decade and a half. With a few judicious tweaks to the FTC’s CAN-SPAM Rule, this law can become even more effective at making email more trustworthy and reliable.
Note: The FTC is publishing the public comments it has received on CAN-SPAM, and you can make your own comments to the FTC about its CAN-SPAM Rule here.
Top photo: A can of spam. Source: Isabelle Hurbain-Palatin/Flickr