Combined Microsoft, SPF E-Mail Standard Goes to Standards Body
The move is seen as a critical step toward e-mail authentication and the end of spoofing, phishing and spam.
Microsoft and Sender Policy Framework (SPF) author Meng Weng Wong have converged their respective email authentication standards and submitted the resulting specification, now called Sender ID, to the Internet Engineering Task Force.
Sender ID, like its progenitors SPF and Caller ID for E-Mail, is aimed at adding the identity element to email. That’s seen as a critical first step in eliminating spoofing, phishing and spam. The news comes on the heels of public support for authentication standards expressed by both the ISPs’ Anti-Spam Technical Alliance and the Federal Trade Commission.
“Over half of the email targeting our Hotmail customers today come from spoofed domains, and we are committed to taking this trick away from spammers,” said Ryan Hamlin, general manager of the Anti-Spam Technology and Strategy Group at Microsoft.
Sender ID works by looking at information both in the “envelope” of the email message and in the message itself. It compares that information with data published by domain owners in the Domain Name System (DNS), to confirm the email actually came from the domain that it appears to be from. For example, recipients could be sure an email from [email protected] was actually from someone at the aol.com domain.
There’s been some controversy over the format in which the Sender ID records should be published in the DNS. The merged specification calls for an XML format — a format many critics say is unnecessarily complicated and difficult to deal with. However, the Sender ID authors have made the specification backwards compatible with the simpler SPF text format. More than 20,000 domains have already published records in that format, according to Wong.
AOL, as one of those that published the original SPF standard, is pleased with Sender ID. “We are glad the new standard is fully backwards compatible with the existing SPF, which is in use by tens of thousands of domains on the Internet already,” said Carl Hutzler, director of Antispam Operations at AOL.
A number of email service providers have already adopted SPF and other authentication technologies. AOL has said it will require those on its whitelist to publish SPF records by the end of the summer.
