Leading ISPs, anti-spam vendors, and e-mail software companies are moving quickly to add support for the Microsoft-backed anti-spam technology standard Sender ID, even as some e-mail experts raise doubts that the technology will work.
Still in the proposal stage, Sender ID aims to provide a method for verifying an e-mail message’s source. If adopted, Sender ID could provide a way to close loopholes in the current system for sending and receiving e-mail that allow senders -- including spammers -- to fake, or “spoof,” a message’s origin.
In July, Microsoft urged e-mail providers and ISPs to publish SPF (Sender Policy Framework) records that identify their e-mail servers in the DNS by mid-September. Microsoft will begin matching the source of inbound e-mail to the IP addresses of e-mail servers listed in that sending domain’s SPF record by Oct. 1. Messages that fail the check will not be rejected but will be further scrutinized and filtered, said Craig Spiezle, director of the safety technology and strategy group at Microsoft.
AOL will also begin screening incoming mail in September, matching the source of inbound messages to published SPF records for the sender’s e-mail domain, a company representative said.
Sendmail will soon release a plug-in for its popular open source and commercial e-mail servers. The plug-in, known as a “milter,” will allow customers using Sendmail servers to check inbound e-mail against SPF records.
IBM is “far along” in the process of building Sender ID features into its Lotus products, said Nathaniel Borenstein, distinguished engineer at IBM. But Big Blue will not formally back the standard until it has full support of the IETF.
IronPort, meanwhile, plans to announce it has integrated Sender ID into its e-mail security appliances and e-mail reputation services.
Some experts, however, have expressed doubts about Sender ID, which could render popular services such as e-mail forwarding useless if widely adopted.
As implemented, Sender ID will greatly increase the amount of Internet traffic from e-mail servers trying to authenticate the source of e-mail messages, said Doug Otis, senior engineer in R&D at the Mail Abuse Prevention System.
Also, companies that publish SPF records are unlikely to enforce Sender ID checks anytime soon, for fear of rejecting large amounts of legitimate e-mail sent through forwarding services. That, in itself, could render the standard toothless, Otis said.
“There’s not a single spammer that will have their e-mail dropped as a result of [Sender ID checking],” Otis warned.
Still, most e-mail experts agree that Sender ID is on a fast track for approval by the IETF and for adoption by the technical community -- due in large part to the severity of growing problems, including spam and online scams known as “phishing” attacks.
“You’re going to see fast uptake for [Sender ID], just based on the level of enthusiasm for it or, to put it negatively, the severity of the problem,” Borenstein said. “The cost of spam is enormous, and the solution for this is one that requires cooperation.”