Trouble’s Afoot for Sender ID

Sender ID, the email authentication protocol backed by Microsoft and supported by the E-Mail Service Providers Coalition (ESPC), may be in trouble.

As concerns over intellectual property rights to the technology mount, a key standards-making group is considering next steps for Sender ID. The matter is coming to a head because the MARID working group, which has been considering technologies to recommend to the Internet Engineering Task Force (IETF), is approaching its deadline to reach a consensus. That deadline is September 10.

“It is the opinion of the co-chairs at this time (before the end of last call) that the MARID working group has no consensus regarding the deployment of Sender ID,” wrote Andrew Newton, co-chair of MARID, in an email to the group. “This lack of consensus centers around the IPR [intellectual property rights] associated with the PRA algorithm.”

The algorithm in question was developed by Microsoft, and the software giant claims certain intellectual property relating to the technology. The company has said, however, that it will grant a free license to those who want to use it.

Those assurances have been met with skepticism by the open source community. Last week, both the Apache Software Foundation and the Debian Project — two influential open source groups — said Sender ID was at odds with the ideal of open Internet standards.

“The current Microsoft Royalty-Free Sender ID Patent License Agreement terms are a barrier to any ASF project which wants to implement Sender ID,” said the Apache Software Foundation in a statement. “We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0. Therefore, we will not implement or deploy Sender ID under the current license terms.”

The Apache Software Foundation is an open-source organization that manages the Apache SpamAssassin email filter and the Java Apache Mail Enterprise Server. The Debian Project, which produces the Debian GNU/Linux operating system, also said it would refuse to implement Sender ID.

“Given that both Apache and Debian have now said that they will not deploy, I think that it is a fairly serious problem,” said Anne P. Mitchell, an attorney and president of the Institute for Spam and Public Policy.

Watchers of the process feel the open source uproar stems at least partially from open source backers’ longstanding suspicion of Microsoft. But there’s also a perception that mistrust between senders and receivers of email is playing a role.

“Senders backing any one particular system is as likely to make the system suspect as it is to facilitate adoption — perhaps more likely,” said Mitchell.

One important distinction between Sender ID and other protocols like SPF is that the Microsoft-backed system authenticates the “from” address that is seen by the end user. That’s thought to be critical in fighting the phishing problem and protecting companies’ brands. SPF checks only the “bounce” address.

Despite the controversy, the ESPC remains hopeful about Sender ID’s fate.

“The broadest adoption possible and the most consistent standards are in the interests of not just senders, not just ISPs, but of consumers,” said Trevor Hughes, executive director of the ESPC.

Hughes also points out that even if it doesn’t become a standard, Sender ID will still be a factor if the major ISPs adopt it.

“Where we stand is that Sender ID is going to be a reality for large senders,” he said. “We don’t question the sincerity of the folks who are raising concerns over open source compatibility. We just haven’t come up with the same concerns.”

Related reading