AOL Changes Authentication and Whitelist Standards

By George Bilbrey
VP & GM Delivery Assurance Solutions

We've recently learned some news from AOL about changes to how they authenticate inbound mail as well as changes to their whitelist program. We'll know more after a question and answer session with AOL this afternoon (hosted by the ESPC) but here's what we know now.

AOL Implements DKIM

It appears that AOL has been been using Domain Keys Identified Mail (DKIM) for a month now. With the addition of AOL, that makes three major North American ISPs (Yahoo, Google and AOL) that are using DKIM. If you've been thinking about implementing DKIM, this should make the decision a little easier.

A few things to note:

• DKIM (by itself) will not improve delivery rates - Like all authentication mechanisms, DKIM simply authenticates that the mail is from the domain that it purports to be from. That doesn't by itself mean that AOL should take the message.
• DKIM will help reduce spoofing - If the vast majority of messages from a given domain are authenticated and have a good reputation while the unauthenticated messages from a domain have a bad reputation, AOL will provide a negative spam rating to unauthenticated messages from the given domain.
• There is one more "identity element" on which to hang a reputation on (and to monitor) - Going forward, senders are going to have take into account both IP-based reputation and domain based reputation. AOL (and likely other ISPs) are going to take into account all available information about a given message (domain, IP, URLs, etc) before making a delivery decision.

Changes to AOL White List

AOL also will be making a few changes to the their whitelist - to the point where calling it a whitelist is probably a misnomer going forward. AOL indicates that in the future, the "whitelisting" process is simply a way for a mailer to introduce themselves to AOL and let AOL know a little about what kind of mail they are sending. AOL will want to know:

- Domain and IP information for each mail stream
- The kind of mail that is sent for each mail stream

AOL will then take that information and plug it into their reputation system. If your mailstream's performance varies a lot from what is expected for that type of mail stream (e.g., transactional mail) this will likely cause delivery issues. Currently whitelisted IP's will be subject to the same reputation process for determining delivery of email. There is no need for re-application (or re-introduction as the case may be). In AOL's analysis, that vast majority of whitelisted IP's will not be affected by the changes since their reputation is within guidelines.

We'll provide more information as we get it. In the meantime, learn more about DKIM. Sign up for our Quarterly Education Series on Authentication starting February 12th by emailing editor@returnpath.net.