Earthlink to test sender authentication

Internet service provider Earthlink will soon begin testing new e-mail security technology.

Internet service provider Earthlink will soon begin testing new e-mail security technology.

Earthlink will be experimenting with "sender authentication" technology including Microsoft's Caller ID and a similar plan called Sender Policy Framework (SPF).

The AISP will evaluate other e-mail security proposals, but is not backing any specific technology, said Robert Sanders, chief architect at Earthlink.

Plans to secure e-mail by verifying the source of e-mail messages have garnered much attention in recent months, as the volume of spam has swelled and the number of internet scams has increased.

Spammers and internet-based criminals often fake, or "spoof", the origin of e-mail messages to trick recipients into opening them and trusting their content. Sender authentication technologies attempt to stop spoofing by matching the source of e-mail messages with a specific user or an approved e-mail server for the internet domain that the message purports to come from.

Yahoo and Hotmail, and ISP America Online (AOL) have all backed slightly different sender authentication proposals.

Yahoo is promoting an internally developed technology called DomainKeys, which uses public key cryptography to "sign" e-mail messages.

AOL said in January that it is testing SPF for outgoing mail, publishing the IP (internet protocol) addresses of its e-mail servers in an SPF record in the DNS (Domain Name System).

Finally, Hotmail is publishing the addresses of its e-mail servers using its recently announced Caller ID standard.

Earthlink said that sender authentication is necessary, and is prepared to support multiple sender authentication standards if necessary. However, the company hoped that one clear winner emerges from the field of competing proposals.

"I don't think it's unlikely that we'll see two or three coexisting proposals go into production. We had hopes that they would be able to merge, but I think at this point each standard adds a different function, and we're unlikely to see a merger," Saunders said.

Caller ID and SPF will probably make it into production first, because neither require companies to deploy software to participate in the sender authentication system, he said.

Earthlink is also interested in proposals such as Yahoo's DomainKeys, which allows e-mail authors to cryptographically sign messages, enabling recipients to verify both the content of a message and its author.

However, DomainKeys is more complicated to deploy than either Caller ID or SPF and requires software changes that will slow implementation.

Paul Roberts writes for IDG News Service

Read more on PC hardware