Is E-Mail Authentication the Answer?

Methods to authenticate e-mail senders will finally be in widespread testing, thanks to initiatives from Microsoft, Yahoo! and their partners.

Testing programs are intended to modify the sending and receiving e-mail infrastructure so sender identity can be confirmed. Such systems are thought to be the first step to solving the spam problem, and offer more immediate relief to issues like spoofing and phishing (define).

The kick-off to what’s likely to be a period of enormous learning was a keynote address delivered by Microsoft chairman and chief software architect Bill Gates at the RSA Conference Tuesday. In it, he outlined the technology giant’s vision for stopping spam, dubbed the Coordinated Spam Reduction Initiative (CSRI). The first element is an authentication system, Caller ID for E-Mail.

“The spec itself has been under development for over a year now,” said George Webb, business manager of the Anti-Spam Technology and Strategy Group at Microsoft. “Now is the time to go broadly public and do end-to-end testing. We’d like to do that as quickly as we can to get the learnings under our belt and hone the spec to something that can be truly implementable.”

Caller ID for E-Mail is similar to Yahoo!’s DomainKeys proposal and Sender Protected From, the protocol America Online began testing earlier this year. All use the existing domain name system (DNS) to enable sender identity verification.

Under the Caller ID system, e-mail senders publish the IP addresses (define) of their outgoing mail servers in an e-mail policy document in the DNS (define). Recipients look at the domain name in the “from” field to see if the IP address it’s sent from is on that domain’s list. If there’s no match, the sending address is likely spoofed, or forged.

Spoofing, and the related practice of phishing, are growing problems, both for consumers who are victim, and for brands misrepresented. Phishing scams are estimated to have caused between $13.5 billion and $16.4 billion in damage worldwide in 2003, according to security firm mi2g. Damages this year exceeded $8.9 billion in the first two months of 2004, the company estimates.

Microsoft has begun using the Caller ID technology for outbound messages sent through its popular Hotmail system. It plans to have the inbound side ready to test by early summer. The company also rounded up a long list of partners to help with the testing process.

In the most significant of these deals,MTA (define) provider Sendmail is working with Microsoft to distribute a plug-in for its commercial and open-source products. This allows Sendmail MTA users to easily implement Caller ID, so both can send verifiable e-mail, and check sender identity on received e-mail. The company says over 60 percent of the world’s e-mail traffic runs on its MTA.

Sendmail is also working with Yahoo! to develop a plug-in that lets clients use the portal player’s DomainKeys system. Testing of that solution is expected to begin in March.

“We’re going to be supporting the mainstream systems that are going to get wide adoption,” said Rand Wacker, director of product strategy and planning at Sendmail. “Honestly, I can’t think of anything on the Internet that has settled on one implementation, especially where it comes to e-mail.”

Anti-spam firm Brightmail is aligned with the Microsoft camp, for now. The company agreed to integrate Caller ID with its Reputation Service, which allows its ISP and enterprise clients to filter based upon the reputation of the verified sender.

Even AOL, which has been independently testing SPF, says it will test the Caller ID for E-Mail system for sending. It’s also expected to conduct tests on the processing of inbound mail, the more complicated part of the systems, later this year.

“None of these events would have been possible if we hadn’t brought together the four largest ISPs in the industry,” said AOL spokesperson Nicholas Graham, referring to the Anti-Spam Alliance the four formed last year. “At this point, we are a glory of riches in proposed anti-spam solutions because we joined together.”

Members of the NAI’s E-Mail Service Provider Coalition (ESPC) are also participating in the testing, according to Margaret Olson, co-chair of the group’s technology committee and CTO of Roving Software. Olson added that testing would likely start with a sub-set of members involving a sub-set of their clients.

“It’s certainly our intention to test all three of the major proposals,” said Olson. “We need to see a solution to the spam problem. The more mail that’s sent sooner, the sooner we’re going to find out what works and what doesn’t work.”

Adapted from

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.