Sender ID Splinters, But E-Mail ID Proceeds
Doubt was cast on Sender ID's future after objections to Microsoft's patent claims and licensing requirements for the technology bubbled over this month into the standards process under way in the Internet Engineering Task Force. The IETF working group failed to reach a consensus on using the Microsoft-endorsed version of Sender ID.
In a further blow, AOL withdrew its support for Sender ID on Sept. 15 after concluding the standard lacked enough support to go forward. Instead, AOL said it would check incoming e-mail using Sender Policy Framework, an open-source e-mail authentication standard that it first endorsed in December 2003, which was combined with Microsoft technology in May to make Sender ID.
Despite the compromise announced Sept. 11 by the IETF that would let e-mail receivers verify e-mail using either Microsoft's method or an open-source mode, AOL said Sender ID "appears not to be fully, backwardly compatible with the original SPF specification."
E-mail receivers likely will line up in either the Microsoft camp or AOL's. However, commercial e-mailers will need to accommodate both Sender ID and SPF, e-mail experts say. Microsoft's MSN and Hotmail services and AOL's 28 million subscriber base are key constituencies for commercial e-mailers.
"[Microsoft] will do what it's going to do, and the open-source people will do what they will do, and senders will have to satisfy both," said Meng Wong, the developer of SPF.
Regardless of the checking method, e-mail industry executives said the standards disputes would cause few headaches for senders other than possibly the need to publish their server records in two formats: one to satisfy Sender ID checks and another for checks using the open-source method.
Anne Mitchell, president/CEO of the Institute for Spam and Internet Public Policy, said publishing SPF records should be the first priority for e-mailers. AOL estimates more than 80,000 domains publish SPF records.
"Publish SPF, because it will only help, it won't hurt," she said.
Microsoft spokesman Sean Sundwall said Microsoft will check incoming mail to MSN and Hotmail for Sender ID records starting in October. AOL will begin checking inbound e-mail for SPF this fall, spokesman Nicholas Graham said. Microsoft and AOL gave clues to the need for dual compliance when each said they would publish their server records in both the SPF and Sender ID formats.
"There are now two mini-standards within the broader standard," Sundwall said. "It would have been nice to have one, but it's better than five or 10."
Wong said senders eventually would need to publish only a single record to satisfy both Sender ID and SPF and that the two modes for checking would not delay the move to e-mail authentication.
"If your 5-year-old wants McDonald's and your 4-year-old wants Taco Bell, and they're right next to each other, sometimes it's easiest to just drive through both of them," he said of the two methods.
Sender ID supporters say that the standard will remain a major factor in authentication. Despite losing AOL's backing, it is supported by Cloudmark, IronPort and Verisign. IronPort and Verisign confirmed their continued support. Cloudmark representatives were unavailable for comment.
"I think recipients are going to figure out very fast that they want their mailboxes protected by Sender ID," said Margaret Olson, co-chair for the E-mail Service Provider Coalition, which has endorsed Sender ID.
Sundwall attributed the IETF patent and licensing disagreements to a "vocal minority" waging a "holy war that open source has made against intellectual property and any commercial software model."
Graham said AOL's decision against deploying Sender ID was not made in reaction to concerns over Microsoft's intellectual property claims.
E-mail authentication technologies, like Sender ID, SPF and Yahoo's DomainKeys, aim to fix a flaw in the e-mail architecture that gives senders anonymity. This has led to a sharp rise in phishing attacks, which use fake e-mail addresses. A typical phishing message would appear to a receiver as coming from eBay or PayPal and ask for credit card information or passwords. Gartner Research estimates phishing cost U.S. financial institutions $1.2 billion last year.
Establishing a secure e-mail identity also is seen as a key first step to stopping spam, as it lets accreditation and reputation systems hold senders accountable for their e-mailing behavior.