AOL Dumps Sender ID

AOL has withdrawn its support for Microsoft’s controversial Sender ID technology and is falling back on Sender Policy Framework (SPF), has learned.

“Given recent concerns expressed by the Internet Engineering Task Force (IETF), coupled with the tepid support for Sender ID in the open source community, AOL has decided to move forward with SPF,” Nicholas Graham, AOL spokesperson, told via e-mail.

Microsoft said it had no comment on AOL’s decision.

Despite the bombshell decision, the world’s top ISP isn’t completely severing its ties to Sender ID: The company still will publish Sender ID files so its users’ e-mails are compliant with Sender ID-enabled servers and applications. But it’s enough of a vote of no confidence in Microsoft’s e-mail authentication strategy to warrant concern for Sender ID proponents.

The Redmond giant has been steadfast in its refusal to disclose specifics on patents surrounding the Sender ID technology, saying only that the claims involve Sender ID and the Purported Responsible Address (PRA) algorithm used in conjunction with it. Microsoft also is requiring Sender ID implementers to sign a license agreement to protect those unspecified patents, the terms of which have the open source community up in arms.

It’s the second setback for Microsoft in a week: Over the weekend, the MTA Authentication for DNS (MARID) working group missed its deadline for moving the Sender ID specification onto the next step in the IETF standards process, the Internet Engineering Steering Group, and is currently working on re-drafting certain aspects of the technology to assuage critics.

For AOL, the concerns of the open source community are an important but not critical reason for withdrawing full support of the Sender ID technology. The ISP’s concerns, according to Graham, focus on the technical limitations introduced into SPF with its assimilation by Caller ID for E-Mail earlier this year. He points to Sender ID’s focus on verifying e-mails using RFC 2822, which checks an e-mail’s header information. SPF, which AOL has supported since late last year, favors RFC 2821, which verifies e-mail using envelope information found in SMTP conversations and is commonly called “mailfrom” verification.

“AOL has serious, technical concerns that Sender ID appears not to be fully, backwardly-compatible with the original SPF specification – a result of recent changes to the protocol and a wholesale change from what was first envisioned in the original Sender ID plan,” Graham said.

According to Graham, AOL plans to continue with its SPF deployment and work on more tests with related authentication technologies like Yahoo’s Domain Keys. SPF is widely deployed around the world already and has a huge following; according to Graham, the authentication technology is used on the e-mail servers of more than 86,000 domains today.

“AOL remains committed to testing authentication technology in the real world environment of large scale ISPs,” he said. “SPF is the ‘low-hanging fruit’ in the authentication debate and, given the momentum and common ground with the SPF protocol, is the logical first step in the journey to combat spam.”

Updates prior version to include Microsoft’s comment

News Around the Web