Microsoft, AOL Merge E-mail Identity Standards
Under an agreement reached between Microsoft and Meng Wong, the author of SPF, the two standards will become a single standard. The official SPF-Caller ID specification is to be published next month. Microsoft said a combined standard would be submitted for review to the Internet Engineering Task Force, the Internet standards body.
The discussions for combining the two authentication standards began last week at the IETF. In February, Microsoft released Caller ID for E-mail, its Internet protocol-level technology for establishing secure e-mail identity. AOL had endorsed SPF, an open standard developed by Wong and others. Yahoo has championed its own authentication technology, DomainKeys, which takes a different approach than Caller ID and SPF.
"With over 14,000 domains publishing SPF records, Microsoft realized SPF had the support of the masses, so now we're going to work together to make both parties happy -- Microsoft and the open community," Wong said.
E-mail authentication schemes are meant to fix a flaw in the e-mail architecture that gives senders anonymity. This has led to a sharp rise in so-called phishing attacks. A typical phishing message would appear to a receiver as coming from eBay or PayPal. It would request credit card information or passwords. According to the Anti-Phishing Working Group, there were 1,125 phishing attacks last month.
Caller ID, SPF and DomainKeys are designed to eliminate this. They could pave the way for Internet service providers to institute accreditation systems, such as IronPort's Bonded Sender, which would rate bulk senders based on their complaint levels. Spammers, it is believed, would be more easily weeded out from legitimate senders.
Caller ID and SPF are seen by many industry experts as easier to implement than Yahoo's DomainKeys, which would require more infrastructure work since it authenticates the entire message.
"DomainKeys is the long-term approach," Wong said.
Sean Sundwall, a Microsoft spokesman, called DomainKeys "a great solution," and added that Microsoft was interested in testing it as a further authentication step. In the meantime, he said Caller ID-SPF represents the best chance to create an industry consensus.
"This is a huge step to address the phishing and domain-spoofing problems," he said.
AOL spokesman Nicholas Graham welcomed Microsoft's move, noting AOL was the first ISP to endorse SPF in December 2003.
"Merging into one standard is a breakthrough in what really is a joint and collaborative effort to combat spam," he said.
Outgoing Federal Trade Commission chairman Timothy Muris told the Senate last week that advances in establishing trusted e-mail identity would help in the fight against spam, since the root causes are the anonymity of e-mail and the low cost of sending millions of messages.
"I would say spoofing and phishing are very big problems in the messaging community," said Omar Tellez, a founding member of the Messaging Anti-Abuse Working Group. "If people stop trusting e-mail, people will stop using e-mail."
Caller ID required senders to publish the Internet protocol addresses of their outbound servers in the Domain Name System. Receiving e-mail systems checked the message against the DNS to see if it matches the registered server. SPF worked similarly. It used domain registration records and a list of servers the domain owners use to send e-mail. But unlike Caller ID, SPF checked mail at the message-transport level, not the message body header.
The merged SPF-Caller ID proposal splits the difference, allowing receivers to authenticate either way. Senders would publish information about their outgoing e-mail servers in the DNS using XML. The system would accommodate senders that have already published SPF TXT format records.
"Previously, if people published SPF records, they had to worry that Microsoft might not honor them," Wong said. "If people published Caller ID records, they had to worry that SPF implementations might not honor them. This way, they don't have to worry."
According to Wong, the merged standard also addresses shortcomings in SPF, notably its inability to authenticate forwarded messages. To get around this, the new protocol would require a forwarded message header to include a "RFROM" line containing the original sender. This address would be checked against the DNS records.