Email Permission Keys

Adrian E. McElligott

What email have you lost today? --------------------------------------------What email has your Spam filter

lost today?

Are spam filter false positives a problem?

… “Sure email communication is unreliable – get over it.”

But what if we could avoid the…– frustration – time wasted– user support costs– lost of disenfranchised users – the cost of the lost messages themselves?

what if, as Spam filter providers, we could avoid the…

– professional embarrassment – humiliation– Damage to our brand and reputation,

of having our filters mistake’s highlighted to our users?

•Easiest lost message to avoid •Fear of this type of lost message is the most common reason for a user to frequent their Spam folder.

First Contact

RepliesSolicited

Bulk Email

Types of Lost Messages

•Least Likely to be discovered and manually recovered.

•Often brings new business

•Injury to user is great.

•Often incorrectly reported as Spam

•Damages user conference in their spam filter

•Annoying, disenfranchising

The real cost of lost messages

New Term: Lost Message Rate

• Lost messages erode the value of a Spam Filter.

• Exposing a user to spam in their junk folder is still exposing the user to Spam.

• If the user is routinely checking their junk folder then the filter is of diminished value.

Introducing Email Permission Keys

• Email Permission Keys (EPK) - are a unique key that is embedded in an email address in such a way that it is likely to be retained during normal use, and is therefore available to be extracted at a later date when that email address is used to send a message back to the original user.

• works with the existing Internet infrastructure • requires no modification to existing third

party processes

Key embedded in Recipient's Email Address

Key embedded in Sender’s Email Address

What do Email Permission Keys look like?

• unique code or key that is embedded in to an email address

• embedded in such a way that it is likely to be retained during normal use of that address

• works with the existing Internet infrastructure • requires no modification to existing third

party processes

john.smith+12345@example.com

"John Smith -12345" <john.smith@example.com>

joHN.SmiTH@eXamPLE.Com

"John Smith (joHN.SmiTH@eXamPLE.Com)" joHN.SmiTH@eXamPLE.Com

joHN.SmiTH+12345@eXamPLE.Com

Key

(Binary Code)

CaseKeys

Hybrid combinations

DisplayName

Addressing

Plus Addressing

Types of Permission Keys

Types of Permission Keys- Tagged Addressing

• Tagged Addressing, (Plus or Minus Addressing) is appending a key to the local part of an email address via standard tagged addressing.

• most appropriate for ‘typed-in addresses’ – business cards, off-line advertising etc.

• A typical Plus Addressing key may look something like this: john.smith+12345@example.com where 12345 is the key.

Types of Permission Keys- CaseKeys

• CaseKeys are a type of email permission key that use the CAsE of the LeTTerS that make up an email address to embed a unique key into every instance of that email address.

• A typical CaseKey might look like this: joHN.SmiTH@eXamPLE.Com

Types of Permission Keys- Display Name Addressing (DNA)

• A “Display Name Addressing” Key, is a type of email permission key that appends or encodes a unique key within the Display Name portion of the email address.

• A typical display name key may look something like this: "John Smith -12345" <john.smith@example.com>where 12345 is the key.

Types of Permission Keys- DNA/CaseKey Hybrid

• A DNA/CaseKey Hybrid key is a DNA key with a CaseKeyed representation of the protected user’s email address included in both the Display Name part of the email address and the “addr-spec address” - it is used in outgoing messages when tagged addressing is not supported.

• It may look like this – "John Smith (joHN.SmiTH@eXamPLE.Com)" joHN.SmiTH@eXamPLE.Com

• typically automatically inserted in to all instances of the protected user’s email address in all out-going messages.

Types of Permission Keys- Tagged Addressing/CaseKey Hybrid

• is a combination of the Plus Addressing and CaseKey methods.

• It is essentially a Tagged Addressing Key that has been CaseKey encoded. It may look like this –

joHN.SmiTH -12345@eXamPLE.Com• typically manually issued to a user via a user

interface for use on web forms

Permission Key Issuing Facilities

• New Permission Keys are randomly generated and issued from a key issuing facility

• There are three different types of key issuing facilities, each capable of issuing different forms of keys, and each positioned to reduce one or more types of false positives

The type of

issuing facility

that originally

issued the key

The time that the key was issued

The email address

of the recipient,

or where the key

was published IdentifyIssuingEvent

Who

How When

How Email Permission Keys Work

How Email Permission Keys Help

• Match an incoming email with an email issuing event

• Identify messages mistaken for spam• Improves User Confidence in their Spam

Filter

How Email Permission Keys help user feedback

dependant filters

• Provides automated “is not spam” feed back to the filter.

• Reduces User Trust Oscillation.

How Email Permission Keys Help DNSBL Filters

In systems that use DNSBL • Permission Keys allow the use of a more

aggressive list criterion thereby maximizing the proportion of messages that can be blocked at the SMTP Gateway.

• Permission Keys in either the SMTP envelop or the message headers can be used to identify legitimate messages before the entire message has been read from the wire.

Why they will use it

Email Permission Keys provide significant benefits to the end user, which include:

• Dramatically reducing a users exposure to spam. • Reclaiming time that is currently lost by the user

reviewing their Spam folder and looking for lost messages.

• Restoring confidence, alleviating fear, frustration and spam related stress.

• Optionally the user can be alerted each time that a lost message is found – reassuring the user that the system is working and maintaining the perceived value of the system form a user’s perspective.

Email Permission KeysSystem Components

• Client Side• Outbound Message

Key Insertion Function• Spam Folder

Monitoring Module

• Server SideKey Issuing Facility

– AJAX Web Service – UI for manual issuing– Key Custodian API

• GetKey • IsValidKey • InvalidateKey

• Access authentication • Key Generation• Key Storage & Retrieval • Reporting

The Global Key

Custodian

Dynamic Web

<mailto>tags

CorporateSpam Filters

ISPNetworkFilters

DesktopSpam Filters

End UserInterface

& Support

Introducing the Global Key Custodian

Business Model

• Perhaps the most significant benefit of an Email Permission Keys enabled system, is that it provides additional identifiable value to the end user – which can be used to generate an addition revenue stream to the service provider.

Business ModelMonetization

• Revenue Sharing, (Subscription / Advertising sponsored)

• Increase Subscriptions• Increased user loyalty• Premium service

There are a number of different models available to monetize the additional value that Email Permission Keys provide.

Business ModelUrgency

The Global Key

Custodian

Dynamic Web

<mailto>tags

CorporateSpam Filters

ISPNetworkFilters

DesktopSpam Filters

End UserInterface

& Support

For example, if a desktop filter provider implements email permission keys in their filter, and then at a later date the ISP implements email permission keys in their Network filter, then while each instance would respect and use each others keys, the providers revenue share would go to the desktop provider – as they were the first to issue a key for that user.

Under our revenue sharing model, once an email address has been associated to a service provide then it can’t be changed.

What is lost email costing you?

• Problems that result from lost messages– Unreliable communication– Misunderstandings– Damage to reputation / brand – Lost opportunities– Lost time– Exposure to spam

What would it be worth to your users to solve these problems?

What email have you lost today?

www.geobytes.com

The advantage of CaseKeys over just white listing

outbound recipients

• You can expire Email Permission Keys, and while you can blacklist an email address you can’t issue the compromised user a new email address.

• Email Permission Keys embed the key in the senders address, which propagates when the message is forwarded to a third user.

• Many users have multiple addresses feeding to the same inbox, so a reply may come from a different email address.

• Email Permission Key can validate the legitimacy of “First Contact” and “News Letter” messages.

How does this reduce spam?

• Whenever a user has to check their Spam folder, then they are still being exposed to all of their Spam - only the folder name is different.

• CaseKeys may well be the difference between a system that users trust and one that they don't - the difference between exposure to all of the Spam, or no Spam.

Q. Does publishing a keyed email address result in Spam

being falsely white listed?

• Keys that are published on web pages are set to auto expire.

• In the event that a Key does fall in to the wrong hands and did result in a False Negative, then the user clicking “Is Spam” would invalidate the Key.

New TermLost Message Rate (LMR)

• Is the percentage of legitimate messages that are mistaken for Spam. Traditionally the industry has used the statistical term “false positive” which does not truly reflect the proportion of legitimate messages that the filter is loosing.