Sender ID Specification Submitted to IETF
Sender ID Specification Submitted for Standards Body Consideration
Successful Merge of SPF and Microsoft Caller ID for E-Mail Seen as a Significant Step Toward Promoting an Effective E-Mail Authentication Standard
Redmond, Washington and Philadelphia, PA, USA. June 24, 2004.
Microsoft Corp., author of the Microsoft Caller ID for E-mail proposal, and Meng Weng Wong, co-founder and CTO of Pobox.com and author of the Sender Policy Framework (SPF), have announced today that they have successfully converged the two proposals into one specification named Sender ID and submitted to the Internet Engineering Task Force (IETF) for consideration as an industrywide standard for e-mail authentication as part of the IETF's efforts to define effective industry Internet e-mail standards to address the problem of spam. Sender ID is designed to help verify the source of e-mail to help eliminate domain spoofing and provide greater protection against phishing schemes. By providing a unified specification, Microsoft and Wong hope to simplify industry adoption of effective e-mail authentication technology, thereby helping more swiftly provide greater spam protection to e-mail users worldwide.
"Spoofing," or sending e-mail purporting to be from someone it's not, is an increasingly common and relatively simple way for spammers to try to trick filters. It can also pose a security risk when used to deliver e-mail viruses or phisher scams, which attempt to trick users into divulging personal information such as credit card numbers or account passwords by pretending to be from a legitimate source, such as a user's bank. Sender ID aims to prevent spoofing by confirming what domain a message came from and thereby increase the effectiveness of spam filters.
Under the merged proposal, organizations will publish information about their outgoing e-mail servers, such as IP addresses, in the Domain Name System (DNS) using the industry-standard XML format. Backward compatibility will be provided for the many domains that have already published information in the SPF TXT format.
The converged specification will enable receiving systems to test for spoofing at the message transport (SMTP) level, or envelope, as originally proposed in SPF, as well as in the message body headers, as originally proposed in Caller ID. Testing for spoofing at the message transport level allows receiving systems to block some spam messages before they are sent. Checking the message body headers is necessary in cases in which a deeper examination of the message contents is required to detect spoofing and phishing.
"Twenty thousand domains have already published SPF records," Wong said. "Sender ID automatically gives those domains additional protection from phishing and spoofing as well."
"Over half of the e-mail targeting our Hotmail customers today come from spoofed domains, and we are committed to taking this trick away from spammers," said Ryan Hamlin, general manager of the Anti-Spam Technology and Strategy group at Microsoft. "We very much look forward to working with the IETF and others in the industry to help swiftly move forward in establishing e-mail authentication standards as a key step toward containing the spam problem for customers worldwide."
Momentum for this kind of standard is building. Earlier this week, the Anti-Spam Technical Alliance (ASTA) formed by key industry stakeholders such as America Online, British Telecom, Comcast, EarthLink, Microsoft and Yahoo! published a host of recommendations for the industry to effectively address the spam problem and recognized the need for the broad adoption of e-mail authentication mechanisms, including the kind of IP-based approaches put forth in Sender ID. Also, in addition to Microsoft, many leading technology companies including America Online, Brightmail, Cloudmark, EarthLink, IronPort, Sendmail, Tumbleweed and VeriSign have already committed to quick adoption and implementation of Sender ID as it moves toward becoming an industry standard.
"AOL is pleased to see the merger between these two proposals, which will help provide enhanced identity in e-mail. We are glad the new standard is fully backwards-compatible with the existing SPF, which is in use by tens of thousands of domains on the Internet already," said Carl Hutzler, director of Antispam Operations at AOL, an ASTA member and key contributor to Wong's SPF proposal. "We look forward to continuing our work with Mr. Wong, Microsoft, our industry partners and the IETF to ensure swift adoption of SPF and the new combined standard."
To be more effective in the fight against junk e-mail, filters need additional information that is not available in e-mail messages today. By making simple but important changes to the e-mail infrastructure, such as those outlined in the Sender ID proposal, greater certainty can be provided about the origin of an e-mail message and enable legitimate senders to more clearly distinguish themselves from spammers.
Complete details on the Sender ID specification can be found at http://www.microsoft.com/senderid/ and http://spf.pobox.com/. More information on Microsoft's overall efforts to address spam can be found at http://www.microsoft.com/spam/.
Founded in 1994, Pobox.com is the worldwide leader in subscription-based email forwarding and mailing list services.
Founded in 1975, Microsoft (Nasdaq "MSFT") is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.
Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news story: "IETF Releases Anti-Spam Sender ID Internet Draft Specification."