Microsoft eyes merger of two e-mail specs

Microsoft is in detailed discussions to merge its its Caller ID e-mail authentication specification with another, called Sender...

Microsoft is in detailed discussions to merge its  its Caller ID e-mail authentication specification with another, called Sender Policy Framework, or SPF.

Caller ID makes it harder to doctor spam so that it appears to come from legitimate web domains.

With Caller ID, e-mail senders publish the IP address of their outgoing e-mail servers as part of an XML (Extensible Markup Language) format e-mail "policy" in the DNS (Domain Name System) record for their domain.

E-mail servers and clients that receive messages can then check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that do not match the source address can be discarded, Microsoft said. DNS is the system that translates numeric IP addresses into readable internet domain names.

SPF is very similar to Caller ID, and also requires e-mail senders to modify DNS to declare which servers can send mail from a particular internet domain. However, SPF only allows receiving domains to verify the "bounce back" address in an e-mail's envelope, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.
The "from" address checked by Caller ID is often a more accurate indicator of the message's origin than the bounce address, said John Levine, a member of the Internet Research Task Force's Anti-Spam Research Group.

A merger of the two standards has been under discussion since January and have been under pressure from leading ISPs and other stakeholders to reconcile the two.

One possibility for the merged standard is that the two parties will agree to add Caller ID's ability to check the message's "from" address, or what is referred to as the Purported Responsible Domain, to SPF. That would allow e-mail domains using the new standard to spot threats such as phishing scams, but also save them from having to download the full message's text to verify its authenticity, which Caller ID requires.

However, implementing that idea would require changes to the SMTP (Simple Mail Transfer Protocol) standard that is the foundation for the e-mail system, and updates to existing mail software packages for every e-mail sender and recipient who want to participate, Levine said.

"SMTP has worked the same way for 20 years. ... If the solution is that we get to change the way SMTP works, there's a long list of other things we'd like to change about it, too," he said.

Less clear is the fate of a related standard from Yahoo called DomainKeys.

Yahoo submitted a draft for DomainKeys to the IETF standards body to begin the standardisation process. DomainKeys works differently than Caller ID and SPF, using encryption to generate a signature based on the e-mail message text that is placed in the message header, said Miles Libbey, antispam program manager at Yahoo.

Levine believed that Yahoo's technology is more secure than Caller ID and SPF, because even if an e-mail message gets forwarded across various e-mail servers, it's signature stays intact, allowing the receiving system to verify its origin.

While DomainKeys is a better long-term fix for the spam problem, Caller ID and SPF - or a merged standard - have the advantage of being light-weight and easy to implement, while closing many of the technical loopholes exploited by spammers. 

"Something is going to change because the pain of spam is excruciating," Levine said. "Doing nothing isn't an option."

Paul Roberts and Scarlet Pruitt write for IDG News Service

Read more on IT risk management