Objections to Microsoft's licensing requirement for Sender ID e-mail authentication technology could delay its widespread implementation.
Microsoft faces stiff resistance to its requirement that e-mail receivers sign a royalty-free licensing agreement for a key technology component of Sender ID. Open-source software developers The Apache Software Foundation and the Debian Project said they will not agree to sign the license, which does not allow users to pass on or alter the technology. Open-source advocates also object to Microsoft applying for Sender ID-related patents.
“We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards and specifically incompatible with the Apache License 2.0,” the foundation said in a statement.
The objections have spilled over into the standards process, with the MTA Authorization Records in DNS working group, known as MARID, considering changes to Sender ID before the standard fragments. MARID's co-chairs set a Sept. 10 deadline for deciding whether consensus exists to move Sender ID forward as a standard under the Internet Engineering Task Force or whether to go back to iron out differences.
“We need to come up with a solution that people can agree on from a technical standpoint and an [intellectual property] standpoint and move forward,” said Rand Wacker, director of product strategy and planning for Sendmail, an Emeryville, CA, e-mail software firm.
The licensing flap comes after months of momentum for Sender ID to be the first step in verifying the identity of e-mail senders. Microsoft struck a deal with Meng Wong in May to merge its Caller ID protocol with his open-source SPF standard. It now appears that a single standard might not emerge.
On Wednesday, MARID co-chair Andrew Newton noted the lack of consensus in the group and proposed a compromise that would let e-mail receivers check mail using either the technology Microsoft asserts intellectual property rights on, or by the method originally proposed in the Sender Policy Framework e-mail authentication standard.
“I think we're going to see SPF classic and Sender ID both proceed,” Wong said. “That makes it less of a threat for deployment.
“Senders will probably get to publish just a single record.”
Wong advises senders to publish their SPF records while MARID hammers out a standard.
The combined Sender ID standard has won several endorsements from e-mailers, including the E-mail Service Provider Coalition. More than 19,000 domains have published their SPF records. The licensing controversy applies just to the receiving side, since e-mailers would need to register only the Internet protocol addresses of their servers in their domain records.
“Regardless of where MARID ends up, Sender ID will be a reality for large senders,” said Trevor Hughes, executive director of the coalition. “Our hope is that we can create greater penetration for the tool because we think the consistency and universal appeal for authentication is a good thing.”
Wong predicted that MARID's sometimes-contentious debates eventually would produce a compromise.
“I think the standard will satisfy everyone except Microsoft,” he said.
In response to requests for comment, Microsoft issued a statement: “There is broad support for Sender ID technology, and we encourage others to support and implement this technology so that together we can do more to stop spam.”
E-mail authentication standards, like Sender ID and Yahoo's DomainKeys, aim to fix a flaw in the e-mail architecture that gives senders anonymity. This has led to a sharp rise in phishing attacks that use fake e-mail addresses. A typical phishing message would appear to a receiver as coming from eBay or PayPal and ask for credit card information or passwords. Gartner Research estimates that phishing cost U.S. financial institutions $1.2 billion last year.
Establishing a secure e-mail identity is also seen as a key first step to stopping spam, as it lets accreditation and reputation systems hold senders accountable for their behavior.
“Sender ID is definitely still going to be a factor,” said David Daniels, an analyst with Jupiter Research. “It's just a matter of how long this debate is going to go on about the licensing.”
Any breakdown or delay in industry implementation of e-mail authentication could draw government scrutiny. When the Federal Trade Commission rejected the creation of a do-not-e-mail list in June, it said e-mail identity should be the priority of the e-mail industry. Then-FTC chairman Timothy Muris held out the possibility of the federal government creating a standard if private industry fails. The FTC plans an e-mail authentication summit in the fall.