Sendmail Starts Testing of Sender ID System
Sendmail's Web site, Sendmail.net, has a free, open-source plug-in to Sendmail's e-mail routing platform, which routes more than 60 percent of e-mail on the Internet. The tests -- part of Emeryville, CA-based Sendmail's Messaging Integrity Pilot Program -- will give real-world feedback from e-mail administrators on the strengths and limitations of different proposed protocols for authenticating e-mail.
In addition to the Sender ID mail filter, Sendmail also is testing Yahoo's DomainKeys system.
"If we can assess the impact on the majority of the mail software out there, then that's where you get an idea of how it works on the current environment," said Rand Wacker, Sendmail's director of product strategy and planning.
Sender ID and DomainKeys have emerged as the top solutions for making sure e-mail comes from where it purports to originate. The technologies are meant to guard against spoofed addresses and phishing attacks, which Gartner Research estimates cost U.S. banks $1.2 billion last year. A secure e-mail identity also is needed for the implementation of reputation systems, like IronPort's Bonded Sender, to fight the broader spam problem and cut down on improperly filtered e-mail.
Sender ID is the combined Internet protocol-based standard of Microsoft's Caller ID authentication protocol and Meng Wong's open-source Sender Policy Framework technology. DomainKeys is a public-private encryption system that assigns e-mail messages a digital signature in the header that contains a private key.
Sender ID is thought by industry experts to be easier to implement, since it only requires senders to register their servers in their domain name records. DomainKeys is considered the more sophisticated solution, since it authenticates the entire message, not just the sender.
Last week, Sendmail released a benchmark test of DomainKeys that found the cryptographic system would not cost as much to deploy as some have thought.
Sender ID has gained momentum as a near-term authentication protocol. More than 19,000 domains publish SPF records and 20 e-mail sending products support it, according to Wong.
Sendmail urges testing of the Sender ID mail filter by companies whose e-mail is most often spoofed, such as banks and e-commerce businesses. AOL will begin checking incoming e-mail messages against its Sender ID records in September. Microsoft plans to check for Sender ID at its Hotmail and MSN e-mail services by October. Sendmail anticipates top ISPs will require the publication of Sender ID records in late 2005.
The Direct Marketing Association has urged its members to publish their server records to comply with Sender ID. The E-mail Service Provider Coalition has made compliance mandatory for members.
The Internet Engineering Task Force, the standards body for the Internet, is reviewing both Sender ID and DomainKeys.