In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers. 

In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email. 

Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement.  As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication.  A statistic that seems to be quite different than the adoption rates of F500 brands.  For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions. 

Will SPF and DKIM stop spoofing?  No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials. 

The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late?  I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen.  In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means.   This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals. 

Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet.  To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.