Sender ID Hiccups Unlikely to Derail E-Mail Identity
Doubt was cast on Sender ID's future after Microsoft hit stiff resistance to its requirement that e-mail receivers sign a royalty-free licensing agreement for a key technology component of Sender ID.
The objections bubbled over into the standards process that has begun in the Internet Engineering Task Force, with open-source advocates arguing that Microsoft's patent claims and licensing requirements made Sender ID unacceptable.
In a compromise announced by e-mail Saturday, the IETF working group's co-chair, Andrew Newton, put the issue aside because no consensus could be reached. The compromise lets e-mail receivers verify e-mail using either Microsoft's patented method, known as Purported Responsible Address, or through an open-source mode, now called Sender Policy Framework Classic.
"There are now two mini-standards within the broader standard," Microsoft spokesman Sean Sundwall said. "It would have been nice to have one, but it's better than five or 10."
He attributed the IETF disagreements to a "vocal minority" and a "holy war that open source has made against intellectual property and any commercial software model."
Sundwall said Microsoft would begin checking incoming e-mail for Sender ID records in October. By year's end, he said, most e-mail coming to MSN and Hotmail will be checked for Sender ID records. AOL plans to require members of its e-mail whitelist to maintain SPF records "in the near future." Yahoo plans to implement its DomainKeys authentication technology by the end of the year.
Regardless of the checking method, e-mail executives said the standards disputes would cause few headaches for senders, other than possibly the need to publish their server records in two different forms: one to satisfy Sender ID checks and another for checks using the open-source method. Sundwall said Microsoft plans to publish its own server records in both the Sender ID and SPF Classic formats.
"The process for a sender is not very difficult or time intensive," he said.
In an interview late last week, SPF creator Meng Wong held out the possibility that senders will need to publish only a single record that satisfies both methods.
Sender ID supporters think it eventually will gain widespread acceptance as it proves more effective at detecting fraudulent e-mail.
"I think recipients are going to figure out very fast that they want their mailboxes protected by Sender ID," said Margaret Olson, technology committee co-chair for the E-mail Service Provider Coalition, which has endorsed Sender ID.
Microsoft struck an agreement with Wong in May to merge its original Caller ID protocol with his open-source SPF standard. SPF has the advantage of widespread penetration in the sending community, with 19,000 domains publishing records.
E-mail authentication methods, like Sender ID and DomainKeys, aim to fix a flaw in the e-mail architecture that gives senders anonymity. This has led to a sharp rise in "phishing" attacks that use fake e-mail addresses. A typical phishing message would appear to a receiver as coming from eBay or PayPal and ask for credit card information or passwords. Gartner Research estimates phishing cost U.S. financial institutions $1.2 billion last year.
Anne Mitchell, president/CEO of the Institute for Spam and Internet Public Policy, said that though a single unified standard would be ideal, the lack of a unified standard is not a major blow to e-mail authentication.
"I don't think there will ever be one standard, anyway," she said.
Establishing a secure e-mail identity is also seen as a key first step to stopping spam, as it lets accreditation and reputation systems hold senders accountable for their e-mailing behavior.