RealTime IT News

Did AOL Jump the Gun With Sender ID?

Did AOL jump the gun in its decision Wednesday to ditch Sender ID and continue with its Sender Policy Framework (SPF) deployment in the battle against spam? Developments among working groups forming a new worldwide protocol for authenticating e-mail might deflect AOL's objections.

As internetnews.com first reported Wednesday, AOL Spokesperson Nicholas Graham said the ISP was withdrawing its support for for the Sender ID protocol for two reasons: lack of support from the open source community and Microsoft's decision to discard one e-mail verification standard for another.

"AOL has serious, technical concerns that Sender ID appears not to be fully, backwardly-compatible with the original SPF specification, a result of recent changes to the protocol and a wholesale change from what was first envisioned in the original Sender ID plan," Graham said.

The world's top ISP didn't completely sever its ties to Sender ID: The company will still publish Sender ID files so its users' e-mails are compliant with Sender ID-enabled servers and applications.

AOL's biggest concern, according to Graham, is with the technical limitations introduced into SPF with its assimilation by Caller ID for E-Mail earlier this year.

He points to Sender ID's focus on verifying e-mails using the RFC 2822 standard, which checks an e-mail's header information. The original SPF, which AOL has supported since early this year, favored RFC 2821. That standard verifies e-mail using envelope information found in SMTP conversations and is commonly called "mailfrom" verification.

However, AOL's main justification was undercut Thursday morning when a member of the MTA Authentication in DNS (MARID) working group submitted an Internet draft draft-ietf-marid-mailfrom-00) that allows for RFC 2821 "mailfrom" checks in Sender ID.

Carl Hutzler, AOL director of anti-spam operations, posted a comment to the MARID working group Thursday afternoon explaining that, while the ISP remains committed to sender identity technologies, it is going in another direction.

"We intend to begin beta testing SPF on our inbound systems very soon (weeks from now)," the e-mail posting said. "SPF is low hanging fruit that will benefit AOL and many other domains although it will not work for 100 percent of the mail we receive. But it will work for more than 80 percent of the mail we receive and that is good enough for a first strike.

"We also believe that the best way to secure the [2822] FROM address is a content signing approach which is out of the scope of this working group," he continued. "We hope to see a new group formed to tackle the issues in this arena."

Still, Graham also said AOL hasn't ruled out the possibility of returning to Sender ID in light of the revised drafts, but not without that changes to Microsoft's current technology and legal issues.

"Bottom line is - if Sender ID supported [RFC 2821] authentication, and backwards compatibility with SPF version 1, and lost the licensing so that many others would adopt it, we would consider doing it also," he told internetnews.com.

The ISP's defection puts a crimp in Microsoft's plans for worldwide Sender ID adoption. David Anderson, president and CEO of Sendmail, the company that develops a commercial version of the highly-popular open source version of the same name and Sender ID proponent, said AOL's departure is a blow to technology's adoption as a universal standard for e-mail authentication, though not a death knell.

"On the basis of Microsoft's use alone, and the fact that volume senders will need to include Sender ID information in order to get their messages sent to Hotmail, I still expect to see significant adoption of Sender ID," he said. "But clearly, it's not going to be as widespread as it would have been otherwise."

Sender ID was already in trouble before AOL's departure. The Redmond giant has been steadfast in its refusal to disclose the specifics on patents surrounding the Sender ID technology, saying only that the claims involve Sender ID and the Purported Responsible Address (PRA) algorithm used in conjunction. Microsoft also is requiring Sender ID implementers to sign a license agreement to protect those unspecified patents, the terms of which -- mainly the sub-licensing and non-transferability clauses -- have the open source community up in arms.

Over the weekend, the MARID working group missed its deadline for moving the Sender ID specification onto the next step in the IETF standards process, the Internet Engineering Steering Group (IESG), and is currently working on re-drafting certain aspects of the technology to accommodate "mailfrom" verification.

For AOL, the concerns of the open source community are an important but not critical reason for withdrawing full support of the Sender ID technology. In fact, the company has gone out of its way to support Sender ID in the past. Last month, Hutzler posted an e-mail to the MARID working group list stating the ISP had no problems with Microsoft's license agreement.

"Some have complained about the nuisance of applying for a license for every 'small organization' and potential costs of that," he stated. "Folks really want a GPL. While I understand this, AOL is not in this category and likely would not see licensing this technology as an undue burden."