October 29, 2004 -- (WEB HOST INDUSTRY REVIEW) -- Microsoft is regaining support for Sender ID, its anti-spam specification, as AOL re-endorsed the technology after the software giant announced this week that it revised the specification to address patent issues.
"After sitting down with other industry leaders, critics and companies in the open source community to get their feedback, we revised the specification to ensure its compatibility with anyone who has previously published the Sender Policy Framework, or SPF," says Ryan Hamlin, general manager for Microsoft's safety technology and strategy group.
In September, the Internet Engineering Task Force shut down the internal group that was developing the standard. Many within the working group were not pleased with the system's inability to work with the previously published SPF standard.
Obtaining consensus within the open source community was also next to possible, since many argued that Microsoft's patent claims would allow it to eventually charge royalties. Open source groups such as Apache refused to endorse the standard, and service providers such as AOL, removed their support for Sender ID. Further, Meng Wong, the architect of SPF, publicly stated that he would continue to develop his technical specification by himself.
The Sender ID specification was initially the combination of Microsoft's Caller ID for email proposal, Wong's Sender Policy Framework and a third specification called Submitter Optimization. The potential departure of Wong was a major blow for Sender ID's development.
The near-death experience of an important industry standard designed to counter email domain spoofing and to provide grater protection against phishing schemes, led Microsoft to revamp Sender ID to address the widespread industry concerns.
Eliminating domain spoofing enables legitimate senders to protect their domain names and reputations, and helps recipients more effectively identify and filter junk email and phishing scams.
"The revised specification now accepts the 60,000 or so domains out there that have already published SPF records, and allows companies to choose between the simple ‘from' address verification or what is called a Purported Responsible Address verification, which some companies prefer," says Hamlin. "So we see this revised specification as a big step forward, and one that is really going to help facilitate deployment by allowing mail receivers to choose the method they would like to use."
Purported Responsible Address records allow service providers to check the "display address" in email headers against the IP addresses of the senders, preventing the use of forged display addresses in spam and phishing attcks. With the change, providers and senders now have the ability to publish and check the authenticity of email with both methods in Sender ID.
Sender ID seeks to verify that every email message originates from the Internet domain from which it claims to have been sent. It checks the address of the server sending the mail against a registered list of servers that the domain owner or email recipient have allowed to send email. This comparison is automatically performed by the Internet service provider or recipient's mail server before the email message is delivered. If the Sender ID verification passes, the message is delivered as regular mail. If the check fails, the message is further analyzed and may be refused by the receiving server, or flagged to the user as a possible deceptive message. Depending on the recipient's ISP or email server software, messages that fail the Sender ID check may be flagged and sorted differently.
The Sender ID framework is active on the Internet since the IETF granted it "experimental" status so that industry can evaluate it, along with competing email authentication standards. Microsoft continues to call for the standard's wide adoption and is encouraging an aggressive implementation schedule for its larger customers and service providers.
