Bad karma surrounds e-mail authentication plans
The authentication landscape is still hopelessly crowded, says Meng Wong, who developed the Sender Policy Framework standard
Follow @infoworldThis week's powwow of e-mail heavyweights in Chicago returned the IT community's attention to the issue of e-mail message authentication, but the messaging community has too little to show for a year's worth of work, some say.
Microsoft, Yahoo, AOL, and others used the second annual summit to highlight adoption of sender authentication technologies and talk up their schemes for verifying e-mail senders and recipients. But some messaging experts complain that there are still too many competing authentication schemes to prevent technical conflicts and guarantee widespread adoption of e-mail authentication.
The second annual event, with the theme "Summit II -- Authentication & Reputatio-Building Online Confidence" was intended to highlight advances in the use of e-mail authentication technology after a year in which discussion and debate about it has faded.
Microsoft used the conference to promote adoption of the Sender ID, its e-mail authentication architecture, and to introduce "Smart Network Data Services," spam reports generated by the company's MSN and Windows Live services, and "MSN Postmaster Services" a new program to provide tools and best practice guidance for ISPs to manage their e-mail infrastructures with MSN and Windows Live users.
Sender ID increased threefold from 7 percent in July 2005 to 21 percent among Fortune 500 companies, said Craig Spiezle, director of technology care and safety at Microsoft.
Currently, about 32 percent of all e-mail sent is Sender ID-compliant, Spiezle said.
Many of the other companies and industry groups followed suit. The E-mail Sender and Provider Coalition -- formerly known as the E-mail Service Provider Coalition -- issued a report showing "rapid adoption of authentication standards by 18 of the nation's largest Internet Service Providers," including AOL, Microsoft, and Yahoo. The company also issued a document providing "guiding principles of e-mail reputation" and "a framework for public and private reputation services."
Enterprise messaging company StrongMail offered its own whitepaper "E-mail Authentication: The Time is Now" and a paper on "The Do's and Don'ts of E-mail Authentication."
Despite the good cheer, the e-mail authentication landscape is still as hopelessly crowded as it was a year ago, said Meng Wong, a messaging authentication expert who developed the SPF (Sender Policy Framework) standard, which later merged with a competing Microsoft architecture called Caller ID to become part of the Sender ID framework.
"One of the big mistakes in authentication was too many cooks in the kitchen," Wong said.
The industry managed to boil SPF, Caller ID, Domain Keys and IIM down to just two authentication schemes: Sender ID and DomainKeys Identified Mail, or DKIM, Wong said.
But the next stage in the evolution of e-mail messaging -- mail reputation and accreditation -- is even more complicated, with vendor-backed services such as Bonded Sender, Habeas, Goodmail , TrustE, SenderBase, Spamhaus, Spamcop, SenderIndex and SenderScore providing overlapping services and, in some cases, competing with one another.
The result is that enterprise IT staff are overwhelmed with options, but have little guidance about how to assemble a working solution that will spot and block fraudulent spam messages, Wong said.
