Microsoft Submits Merged Sender ID E-mail Spec

Welcome Guest. | Log In| Register | Membership Benefits

June 25, 2004 (11:28 AM EDT)

Microsoft Submits Merged Sender ID E-mail Spec

Microsoft finished blending its e-mail sender authentication scheme with the competing Sender Policy Framework (SPF) standard, and submitted the new specification to the Internet Engineering Task Force (IETF) for consideration.

Last month, Microsoft announced that it had come to an agreement with Meng Weng Wong, the creator of SPF, to merge his specification with the Redmond, Wash.-based developer's lesser-known rival, dubbed Caller ID for E-mail.

The new specification, called Sender ID, proposes that organizations publish information about their outgoing e-mail servers, particularly IP (Internet Protocol) addresses, in the Domain Name System (DNS) in XML. If adopted, Sender ID would serve as an e-mail authentication system that verifies the message actually originated with the purported address.

"Over half of the e-mail targeting our Hotmail customers today come from spoofed domains," said Ryan Hamlin, general manager of Microsoft's anti-spam group. "We are committed to taking this trick away from spammers."

All e-mail authentication schemes under consideration -- including Yahoo's DomainKeys, which has also been submitted to the IETF -- aim to shut down the use of spoofed, or forged, addresses, used by spammers to disguise the origin of junk mail. Spoofed addresses are also used by phishing scams, which pose as e-mail from legitimate organizations such as banks and credit card companies.

Sender ID and DomainKeys both hope to put an end to spoofing by confirming the sender's actual domain, and thus boost the effectiveness of spam filters, said Microsoft.

The blended specification uses both SPF's and Caller ID's testing methods. SPF relied on testing for spoofing at the message transport (SMTP) level, or envelope; Caller ID, however, proposed testing for spoofing in the message body headers. Together, the two techniques will let receiving systems block some spam messages before they're sent (one of SPF's advantages) as well as check message body header if a deeper examination of the contents is needed to sniff out spoofing.

Backward compatibility will be provided for the 20,000 domains that have already published information in SPF's TXT format.

Earlier this week, an alliance that includes Microsoft, America Online, Yahoo, and EarthLink endorsed sender authentication as one component of enterprises' "best practices" in the fight against spam.