Supporters Try to Revive Sender ID with New Version

Microsoft has submitted another version of the Sender ID email authentication framework to the Internet’s standards-making body, after the group originally working on it was disbanded because of a lack of consensus. Separately, America Online reversed an earlier decision to withdraw its support of Sender ID, saying it would begin testing the new version on inbound email by the end of the year.

The key difference in the new Sender ID specification sent to the Internet Engineering Task Force (IETF) is that it is backwards compatible with SPF, or Sender Policy Framework. SPF is an older, simpler authentication protocol that has already been implemented by more than 60,000 domains. On the inbound side, the new specification lets recipients choose whether to check the “bounce” address specified by SPF, or the purported responsible address (PRA), which Microsoft is pushing.

“We see this revised specification as a big step forward, and one that is really going to help facilitate deployment by allowing mail receivers to choose the method they would like to use,” said Ryan Hamlin, general manager of Microsoft’s safety technology and strategy group, in an interview on the company’s Web site.

Another big change is that Microsoft changed one of its patent applications surrounding email technology. Some in the industry had thought the original could be construed to cover SPF-style checking, and hesitated to implement a protocol that might be bound by Microsoft’s intellectual property claims.

“Some outside of Microsoft speculated that it could be read to include SPF classic [the original SPF],” said Sean Sundwall, a Microsoft spokesperson. “We went back to that patent application to say it’s not part of the scope that we’re applying for.”

The hope is that the new, revised, protocol will allow Microsoft to sidestep those in the open source community who said they couldn’t deploy the previous Sender ID because of the tech giant’s intellectual property claims.

Despite the controversy, the E-Mail Service Providers Coalition (ESPC) and the Direct Marketing Association (DMA) both continued to recommend marketers deploy Sender ID records. They argued that even if only Microsoft began checking for such records, it would be worthwhile to ensure deliverability to MSN Mail and Hotmail.

With AOL’s announced support of the new Sender ID, that advice seems especially apt. AOL had been one of the standards biggest backers, but once the decision-making process stalled in September, the company withdrew its support and continued on its own path to move forward with the SPF protocol.

“We relayed those concerns directly to Microsoft and others in the online industry….” said Nicholas Graham, a spokesperson for America Online. “Today a new Sender ID version is being submitted to the IETF that we believe fully addresses and answers AOL’s concerns, and those of many others in the online industry as well who shared those concerns.”

AOL says it is currently participating in Sender ID testing by publishing SPF records. It’s also using SPF to help it maintain its whitelists. AOL will begin checking the PRA, or “sender” address, by the end of this year. Microsoft will also be rolling out a PRA check later this year, and says it will use the information to “score” mail.

“If the domain has a Sender ID record, the email is less likely to be judged as spam,” said Hamlin. “If it doesn’t, there will be a higher probability it will be judged as spam. Over time, as the deployment of Sender ID gets wider, the weighting associated with the PRA check will change.”

As for AOL, it says it will eventually use both SPF and Sender ID to help evaluate whether email is spam. “AOL has always held that SPF and Sender ID are data points in the evaluation of email and not a determination unto themselves. AOL has no plans to specifically reject email because it lacks an SPF or Sender ID record,” said AOL’s Graham. “Likewise, the existence of an SPF or Sender ID record does not mean that the email will be accepted for delivery. Sender ID and SPF are merely additional forms of authentication that allows the reciever more certainty in how they handle the email.”

Both Microsoft and AOL said they would continue to test other authentication technologies as they were developed, including Yahoo’s DomainKeys and Cisco Systems’ “Identified Internet Mail.”

“What’s important to understand is that there is no one single solution,” said Hamlin. “Sender ID is not the be-all end-all. We believe and hope that a range of alternatives and technologies will evolve over time that will complement and in some case replace others.”

Related reading