Sender ID For E-Mail Goes Wild

Microsoft’s Sender ID for E-Mail might be down, but it’s certainly not out. Next week, a Canadian ISP will roll out what may be the first commercial service for an application of the e-mail authentication scheme that’s come under so much fire worldwide.

Internet Light and Power (ILAP) plans to start its $3.75 (U.S. dollars) monthly service Nov. 1, and is guaranteeing spam- and phishing-free inboxes for e-mails that contain SPF records.

Guaranteeing complete freedom from the two biggest e-mail plagues sounds like a recipe for disaster — many providers boast of spam-free inboxes, but rarely deliver. While it’s possible to block spam and phishing messages, the danger of “false positives,” inadvertently tagging legitimate messages as spam, has stopped many businesses from implementing draconian spam filters and blocks.

Tristan Goguen, ILAP president, believes Sender ID for E-Mail is the answer. The technology, a combination of Microsoft’s Caller ID for E-Mail and Sender Policy Framework (SPF), is used on e-mail servers and checks the SPF record on every e-mail (if it has one) to ensure the domain in the sender’s e-mail address is the same as the actual domain where the e-mail originated. If the information doesn’t match, it’s rejected.

ILAP said its e-mail firewall service, iPermitMail, currently blocks 99.9 percent of spam, but getting to that last .01 percent required a solution that addresses spoofed e-mails from seemingly-legitimate sources, called “Joe-jobbing.”

“[The reason we haven’t reached] 100 percent is because we’re not able to control the fraudulent use of e-mail addresses,” Goguen said. “We think the combination of SPF and Sender ID, on top of iPermitMail, can deliver 100 percent spam-free e-mail,” he said. “Now, we’re going to test that out in the wild, but we’re excited about what we’re seeing [in tests].”

The ISP takes a whitelist approach to its existing iPermitMail service, checking incoming e-mails against a list of addresses approved by the user. The inclusion of Sender ID for E-Mail adds another layer of authentication to the process. If the sending SMTP server delivers an e-mail not on the whitelist, but is a legitimate e-mail because it contains an SPF record, it is forwarded to a queue where the user can ultimately decide whether to accept e-mail from that address or not.

For corporate networks, iPermitMail has a patent-pending process called “adaptive inheritance,” where e-mails approved by one member of the group apply to all users, reducing time spent approving individual e-mail addresses.

The crux of the problem, of course, is e-mails sent without an SPF record. Earlier this year, SPF author Meng Weng Wong said more than 20,000 domains around the world have been publishing SPF records since its inception in June 2003, though he wasn’t available at press time for an updated number. Within those 20,000 domains, however, are some big-time supporters, including: AOL, Yahoo, Google, Earthlink, Symantec, SAP, PairNIC.

Without an SPF record, spam filter reverts back to the existing technology, which doesn’t particularly worry Goguen. He feels the adoption rate to date has been exceptional and expects the industry to reach the “tipping point” soon enough.

“Our census is that 5 percent of the domains that we’re processing already have SPF records,” he said. “We believe that that’s actually fantastic, because this is such a short period of time that SPF has been out there and it’s become much more popular. The more SPF records we have the more effective our system is going to be.”

“We want to get the product out there, we want to prove it in the wild, we want to show that it is effective and we want to come out with some numbers shortly thereafter,” he added.

Despite the promise of the Sender ID for E-Mail technology, many e-mail server administrators are unwilling to use it because of the accompanying license agreement. Microsoft officials insist the technology only applies to the combined use of Sender ID with its patent-pending Purported Responsible Address (PRA) technology. But experts note the patent applications currently making their way through the U.S. Patent & Trademark Office (USPTO) are so broad in scope they could be applied to most of the anti-spam technology in use today.

It’s divided the industry in half, with the business community (for the most
art) rallying behind the technology on one side and the open-source community on the other. Open source e-mail server software like SendMail, QMail and Exim are the clear majority throughout the world and some of the terms in the
license agreement
preclude open source adoption.

Talks became so contentious between the two that an Internet Engineering Task Force (IETF) working group suspended work on all e-mail authentication technologies until the community had time to test actual deployments of Sender ID for E-Mail and other schemes.

Since then, however, news of Sender ID for E-Mail has been nearly non-existent. Despite many commercial entities testing the technology, to date only Sendmail, Inc., the commercial version of the popular open source application, has come out with a Sender ID plug-in for testing.

Like Sendmail Inc., iPermitMail is using an unlicensed version of Sender ID for E-Mail. Because the patents are pending at the USPTO, Microsoft officials say signing the agreement isn’t required.

“We’re reviewing it,” Goguen said. “We encourage Microsoft to work with the IETF to establish a standard with the appropriate licensing. We certainly have no intent on infringing, we will do the right thing; we’re just biding our time right now.”

The iPermitMail may very well be the first true commercial implementation of the software. Goguen says he doesn’t know of any other company who is providing the service and Sean Sundwall, a spokesperson at Microsoft, said the company hasn’t heard of any others either, though they are encouraged by the new ILAP service.

“Adoption of Sender ID is a critical first step in providing the benefits and protection offered by e-mail authentication,” he said. “We call on all major senders of e-mail to publish their sender ID records as soon as possible.”

Goguen also said the $3.75 iPermitMail and Sender ID for E-mail service is discounted on volume requests from businesses and the company is in the works providing a service for other ISPs.

News Around the Web