Competing standards may shake up e-mail

Emerging anti-spam initiatives are causing tectonic shifts in the once staid world of Internet messaging.

Microsoft, Sendmail, and Yahoo each have introduced technologies designed to reduce spam.

With Microsoft’s Caller ID, e-mail senders publish the IP address of their outgoing e-mail servers, thereby arming the recipients with the information necessary to determine whether or not to discard the message.

Microsoft has cut a deal with e-mail software provider Sendmail, which is testing the Caller ID technology and plans to create an open source plug-in Sendmail filter, or “milter,” said Dave Anderson, CEO of Sendmail.

Adding to the flurry of activity in the area of e-mail authentication, Sendmail will soon begin testing another e-mail authentication technology backed by Yahoo, called DomainKeys. Yahoo proposes to use PKI (Public Key Infrastructure) technology to prevent e-mail address spoofing. 

Sendmail also backs a sender-reputation infrastructure to complement sender authentication, Anderson said.

Sendmail executives said that backing both Caller ID and DomainKeys is not contradictory; having more than one authentication scheme can work.

While DomainKeys and Caller ID overlap in some areas, they have different strengths.

The DomainKeys system uses public/private key cryptography to generate a unique signature for each e-mail address based on information in the message header. The system requires senders to deploy a PKI infrastructure, but makes it possible to authenticate both the source of the message and the message content, Anderson said.

In contrast, Caller ID does verify message content, but it is easy to deploy and does not require new technology purchases.

Complicating matters, Caller ID is similar to another sender-authentication proposal circulating among leading ISPs and e-mail security experts called SPF (Sender Policy Framework).

In January, America Online said it was testing SPF across its entire user base of 33 million subscribers, making it one of more than 7,500 Internet domains to publish SPF records.

Behind all of the activity is pent-up demand caused by years of inaction on security issues on the part of major e-mail stakeholders. The foot-dragging allowed online fraud and e-mail scams to flourish, according to Pete Lindstrom, an analyst at consultancy Spire Security.

But some companies doing business on the Internet are worried that the competing proposals for e-mail authentication could do more harm than good, said Gail Goodman, CEO of Constant Contact, a provider of e-mail marketing services.

“Our main concern is that whatever technology is implemented is able to accommodate various [e-mail] configurations that people commonly use today, and that it’s affordable to all businesses that use the Internet,” Goodman said.

Anderson and others envision multiple technologies working side by side.

“We believe there will be more than one” e-mail authentication technology, Anderson said. “It will be like the IDs in a wallet, where you have multiple kinds of IDs.”