Microsoft’s announcement last week of a host of initiatives to stop spam highlighted some tectonic shifts taking place in the once staid world of internet messaging.
The company’s latest e-mail authentication architecture, known as Caller ID, is being met with cautious acceptance. However, Microsoft is unlikely to have the last word on secure e-mail, and expects have warned that a shake-out of antispam solutions backed by Microsoft, Yahoo, America Online and others is likely to take place in coming months.
Microsoft used a keynote address at the RSA Conference last week by chairman and chief software Architect Bill Gates to unveil its new authentication scheme.
With Caller ID, e-mail senders publish the IP address of their outgoing e-mail servers as part of an XML format e-mail "policy" in the domain name system (DNS) record for their domain.
E-mail servers and clients that receive messages can then query that DNS record and match the source IP address of the message to the address of the approved sending servers. E-mail messages that do not match the source address can be discarded.
To bolster its proposal, Microsoft has cut a deal with leading e-mail software provider Sendmail to support Caller ID. Sendmail is testing the Caller ID technology and intends to create an open-source plug-in Sendmail filter, or "milter", that works with the Caller ID architecture, said Sendmail chief executive officer Dave Anderson.
Sendmail also announced last week that it will soon begin testing another e-mail authentication technology - called DomainKeys - backed by leading ISP Yahoo.
Yahoo proposes to use PKI (Public Key Infrastructure) technology to prevent e-mail address spoofing, Sendmail said.
Sendmail executives say that backing both proposals is not contradictory and that having more than one authentication scheme can work.
"It will be like the IDs in a wallet, where you have multiple kinds of IDs," said Anderson.
While DomainKeys and Caller ID overlap in some areas, they also have different strengths, he added.
The DomainKeys system uses public/private key cryptography to generate a unique signature for each e-mail address based on information in the message header. The system requires senders to deploy a PKI infrastructure, but makes it possible to authenticate both the source of the message and the message content, Anderson said.
In contrast, Caller ID does not allow organisations to verify message content, but it is easy to deploy and does not require new technology purchases, he added.
"Caller ID will be quick to deploy for a basic set of [e-mail senders}. They don’t have to do anything else besides put their sender ID in DNS."
To complicate matters even further, Caller ID is similar to another sender authentication proposal circulating among leading ISPs and e-mail security experts called Sender Policy Framework (SPF), which was developed by independent antispam researcher Meng Wong of the e-mail forwarding service Pobox.com.
In January, America Online said it was testing SPF across its entire user base of 33 million subscribers, making it one of more than 7,500 internet domains to publish SPF records.
Behind all of the activity is built-up demand caused by years of inaction by major e-mail stakeholders on security issues, which allowed online fraud and e-mail scams to flourish, according to Pete Lindstrom of Spire Security, who chaired a panel discussion on sender authentication at the RSA Conference.
But some companies that do business on the internet are worried that the competing proposals for e-mail authentication could cause more harm than good, said Gail Goodman, CEO of Constant Contact, which provides e-mail marketing services for small and medium-sized businesses.
"Our main concern is that whatever technology is implemented is able to accommodate various configurations that people commonly use today and that it's affordable to all businesses that use the internet now," she said.
New architectures, such as SPF and Caller ID, will prompt changes in the way Constant Contact and its customers do business, Goodman said. For example, the company's customers will need to modify their DNS record to include an e-mail policy document that lists Constant Contact's e-mail servers as an approved e-mail service provider.
SPF might even make it difficult for Constant Contact to continue business, because the company sends e-mail from its own servers on behalf of customers, listing the domain name of its customers in the "from" address - a legal manoeuvre that is often abused by spammers and that SPF is designed to thwart.
"SPF doesn't work for a lot of edge cases like e-mail forwarding companies," said Hans Peter Brondmo, senior vice president at e-mail marketing company Digital Impact and a co-chair of the Technology Working Group at the E-mail Service Providers' Coalition (ESPC). The coalition represents about 40 companies in the commercial e-mail business, including Digital Impact and Constant Contact.
On the other hand, DomainKeys, which relies on a signature based on the exact message formatting, might fall flat with e-mail servers, such as Microsoft Exchange, that alter the format of the e-mail message body after it has been received, Brondmo said.
The ESPC has been consulted by Microsoft and others about their plans and is putting together trials of Caller ID, DomainKeys and SPF. While the group has not come out in favour of any solution, it backs the use of sender authentication as a way to weed out legitimate e-mail marketers from spammers, Goodman said.
However, the group also advocates the creation of a "reputation" system to build accountability into e-mail.
Such a system would aggregate information collected by large ISPs such as Hotmail, Yahoo, AOL and others from billions of e-mail messages and create an accreditation system for e-mail domains. Smaller ISPs and other domain owners could then use that to vet e-mail on their domains, Brondmo said.
"Forty or 50% of the e-mail goes to small and medium-sized ISPs and mail gateways. Those guys need a framework for authentication and to determine the quality of e-mail," he added. At present, none of the proposed sender authentication solutions directly addresses the reputation issue, nor have ISPs published standards for how such information could be shared.
Sendmail also backs a sender reputation infrastructure to complement sender authentication, Anderson said.
Anderson, Brondmo and others also envision multiple technologies working side by side.
"Maybe you start with SPF and, if that fails, you choose to accept a message and the secondary authentication on the additional headers," Brondmo said.
Multiple, competing standards are rarely a good thing in technology circles, and we are likely see "jostling" between competing authentication schemesin the coming months, although Brondmo admitted that could be a good thing.
"Right now, the competing standards are causing everyone to run real fast and be aggressive," he said.
If providers decide on an authentication infrastructure within a year, organisations can begin working on other pieces of the secure e-mail puzzle and make the system work for everybody, Brondmo added.
Paul Roberts writes for IDG News Service
This was first published in March 2004