Microsoft eyeing merger of two secure e-mail specs

After submitting its Caller ID e-mail authentication specification to the Internet Engineering Task Force (IETF) earlier this week, Microsoft Corp. is now in detailed discussions to merge the specification with another, called Sender Policy Framework, or SPF.

E-mail experts from the Redmond, Washington, software company will spend the weekend meeting with SPF author Meng Weng Wong of Pobox.com and looking for ways to merge the closely related Caller ID and SPF standards, according to Wong.

"Basically, we're going to take SPF and Caller-ID and do a 'cut and paste,'" Wong said Friday by telephone before boarding a plane to Redmond.

Unveiled by Chairman and Chief Software Architect Bill Gates in March, Caller ID makes it harder to doctor unsolicited commercial, or spam, e-mail so that it appears to come from legitimate Web domains.

With Caller ID, e-mail senders publish the IP (Internet Protocol) address of their outgoing e-mail servers as part of an XML (Extensible Markup Language) format e-mail "policy" in the DNS (Domain Name System) record for their domain. E-mail servers and clients that receive messages can then check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that don't match the source address can be discarded, Microsoft said. DNS is the system that translates numeric IP addresses into readable Internet domain names.

SPF is very similar to Caller ID, and also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only allows receiving domains to verify the "bounce back" address in an e-mail's envelope, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

The "from" address checked by Caller ID is often a more accurate indicator of the message's origin than the bounce address, said John Levine, a member of the Internet Research Task Force's Anti-Spam Research Group.

Microsoft and Wong have been discussing a merger of the two standards since January 2004 and have been under pressure from leading ISPs (Internet service providers) and other stake holders to reconcile the two, Wong said.

"In the last six months or so, there's been a fair amount of uncertainty (about sender authentication). These are two very similar proposals and do many of the same things. The big players have been telling us 'When you get your story straight, we can go ahead,' but until that happens, people have been waiting to see what happens," he said.

One possibility for the merged standard is that the two parties will agree to add Caller ID's ability to check the message's "from" address, or what is referred to as the Purported Responsible Domain, to SPF. That would allow e-mail domains using the new standard to spot threats such as online cons known as "phishing scams," but also save them from having to download the full message's text to verify its authenticity, which Caller ID requires, Wong said.

"It's an idea that enables a lot of things most people want," Wong said.