Microsoft Anti-Spam Proposal in Merger Talks

Microsoft is in talks to merge its e-mail authentication scheme, Caller ID for E-Mail, with another plan, SPF, which stands for sender policy framework, ClickZ News has learned. Both standards are aimed at adding the identity element to e-mail, which is seen as a critical first step to fighting spoofing, phishing, and spam.

“We would like to see these things converge,” Ryan Hamlin, general manager of Microsoft’s Anti-Spam Technology and Strategy Group, told ClickZ News, a sister publication to “We’ve been here [standing in one place] for too long. We’re anxious to get moving.”

Discussions between Microsoft and the folks behind SPF have heated up this week at meetings of the Internet Engineering Task Force’s MARID group, and of the Messaging Anti-Abuse Working Group (MAAWG). What’s emerged is something that’s being called “the New SPF,” which merges aspects of both proposals and — critically for marketers — addresses the issue of forged “from” e-mail domains.

“It is still in flux so don’t take it as a fully-baked proposal; but it does lay out some new directions that people in the MARID interim meeting seem reasonably happy with in principle,” wrote Meng Weng Wong, the most well-known force behind SPF, in a discussion list dedicated to the standard. “More than anything I think they’re relieved that we finally have some kind of convergence so the uncertainty goes away.”

The most revolutionary concept to emerge from the proposed convergence is the idea of a new field that would be added to the e-mail “envelope” called “RFROM.” (The “R” stands for responsible.) This field would contain the e-mail address responsible for sending of the message, and it could be checked by a receiving mail system before the e-mail is accepted.

Experts say authentication before an e-mail is accepted is preferable because it puts less of a burden on mail systems. But only fields contained in the “envelope” can be checked that way. Before “RFROM” was proposed, SPF focused on authenticating the bounce address. Such checking might have been helpful, but it wouldn’t have addressed marketer concerns about spoofing and phishing because none of the fields seen by the recipient — like the “from” address — are contained in the envelope.

Microsoft is flying Meng Weng Wong to its Redmond, Wash. headquarters Friday to further discuss the convergence proposal, according to the e-mail guru.

The trip comes on the heels of an eventful week for e-mail authentication. Microsoft submitted its Caller ID for E-Mail specification to the IETF Thursday. Yahoo! did the same with its DomainKeys proposal earlier this week. DomainKeys isn’t getting as much attention from the MARID working group as SPF and Caller ID for E-Mail at the moment. It’s seen as a more sophisticated proposal that would take longer to implement, and should therefore be considered further down the line.

“I tend to liken spam to cockroaches,” said Dave Crocker, principal of Brandenburg InternetWorking and a participant in the MARID working group. “You don’t eliminate cockroaches. You get them under control, with multiple techniques.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web