Sender authentication will have a major place in the arsenal of anti-spam technology, Mark Sunner believes.
Spam used to be just a nuisance but, as volumes have increased, it has become a business issue.
In March 2003, spam accounted for 36% of all e-mails scanned by MessageLabs' anti-spam service; last month it had risen to 53%. The lost productivity, wasted IT resources and bandwidth, coupled with the sheer frustration of dealing with it, are familiar to most organisations.
Industry players are now looking at new ways to beat spam. One such development is sender authentication - a way to check that an e-mail has genuinely been sent from the domain it claims to come from. It works by examining the IP address of the e-mail: if it does not match the source of the e-mail as given by the domain, it is likely to be a forgery.
Sender authentication is not designed to prevent spam per se; it is a way of finding out whether an e-mail address has been spoofed. However, given that many spammers re-route their spam and forge its origin, authentication should help to weed them out. It should be noted that identifying forged e-mails has potential for tackling phishing scams and the spread of viruses too.
Three main technologies now offer sender authentication:
Sender Policy Framework, created by pobox.com, is being trialled by AOL and is the best established of the authentication systems. SPF identifies e-mails that have been forged and alerts the user to suspicious e-mails. This is useful for those who do not want to adopt a black-and-white approach.
Domainkeys, Yahoo's proposal for sender authentication, is a more complex offering than SPF. It uses cryptography to verify the IP address and domain and look at when the e-mail was sent. Using this technology, e-mails are assigned inbound and outbound tokens to help assess their authenticity.
Caller ID, from Microsoft, is similar to SPF in that it tries to validate the sending domain, but it is based on the headers of an e-mail rather than the SMTP envelope. This makes implementation more complex and fragile. Caller ID also requires all e-mail clients to upgrade.
In the short term, companies may have to support all three authentication technologies, but past lessons suggest that one technology will emerge as the standard. Whether Microsoft will win remains to be seen. Technically, Domainkeys or SPF probably has the edge.
What is clear is that despite some opposition, sender authentication is likely to gain mainstream support. Will sender authentication spell the end of spam? Alone, probably not - anti-spam technology will still have an important part to play. But it should turn out to be a very significant piece of the puzzle.
Mark Sunner is chief technology officer at e-mail security firm MessageLabs
This was first published in April 2004