Back to Article

Get Tools and Whitepapers from the
Nokia Knowledge Center

IT Solutions for Enterprise Mobility
Advantages of SIP for VoIP

Extend Enterprise-wide Mobility Through Transformation of Your Content

Getting Started—Three Steps To Creating Your IT Mobility Strategy

The Anytime Anyplace World—Choosing the Right Mobile Connectivity Strategy for Your Enterprise

Nokia Mobile Connectivity ROI Tool

A Winning Combination: Software-as-Services Plus Business Consulting and Process Services
By Laurie McCabe
January 30, 2004

Members of the E-mail Service Provider Coalition (ESPC) left Microsoft’s headquarters pleased, after meeting with leading mail transfer agents (MTA), reputation and seal providers, and anti-spam vendors at a summit on the Sender ID Framework.

“It was a real show of consensus and force around authenticated e-mail,” said Trevor Hughes, executive director of the ESPC. “We have come away from the event feeling like it was a great success.”

Sender ID, the convergence of Microsoft’s Caller ID for e-mail proposal and Meng Wong’s Sender Policy Framework (SPF), verifies that each e-mail message originates from the Internet domain it claims to come from based on the sending server’s IP address. Eliminating domain spoofing will help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk e-mail.

Sender ID is currently being evaluated by the Internet Engineering Task Force (IETF) as an industry standard for e-mail authentication. A final draft of the specification could be delivered when the IETF meets in two weeks.

According to Hughes, the event began with a high-level discussion of the spam environment, which led to a discussion of SPF by its author, Meng Wong. Microsoft then led a discussion of the Sender ID spec in detail. Then ISP, MTA, and anti-spam vendors discussed how they would implement Sender ID in their products or services.

“It was compelling to see five CEOs on a panel from leading organizations in the anti-spam and MTA e-mail space talking about the fact that this is a train that’s already left the station, and that we just need to make sure that it keeps chugging along. To hear how enthusiastic they were and how willing they were to make sure their pieces of the puzzle were going to work in a Sender ID environment was really encouraging,” Hughes said.

Rather than being a one-way presentation from Microsoft, there was a good two-way discussion, according to Stephen Guerra, director of deliverability and ISP relations for ESPC member Silverpop.

“We were able to offer them some good feedback, and they were very receptive of that. It wasn’t just Microsoft saying ‘this is how things are going to be’. We gave them some significant feedback and even proposed solutions for some of these issues,” Guerra said.

Microsoft is recommending that e-mail senders begin publishing their records in the SPF format by October 1, which many senders have already done. Microsoft is suggesting that e-mail receiving organizations fully implement the checks for the Sender ID protocol by December 31. This should be a very reasonable timeline, Guerra said.

“The challenge for Sender ID is really not going to be implementing it on the ESP side,” he said. “What’s probably going to be the biggest challenge for ESPC members is working with their clients, making sure this information is being published in their records appropriately.”

Sender ID requires that information about a sender’s authorized IP addresses be published in the DNS records of the domain that is responsible for the message being sent. If a marketing e-mail is sent from a client’s domain, ESPs like Silverpop will either have to control that domain themselves, or work with the client’s IT departments to make sure the ESP’s servers are published as authorized senders in their DNS records.

A bigger challenge facing the e-mail industry as a whole is educating those that are unaware that these changes are going to affect them, Guerra said. While a lot of focus has been put on e-mail marketing, senders of transactional e-mails or just regular corporate e-mail senders may be caught unaware if they are not addressing these protocols.

“Some corporate servers are going to find that their corporate mail will become harder to get through in the next few months if they’re not adding this to their outgoing messages and their DNS records,” he said. “A recurring topic at summit was that the ESP industry as a whole needs to step up and educate the e-mail industry in general about Sender ID and the other authentication protocols that are coming.”

“This is a big first step, but it is not a silver bullet,” Hughes said. “I would hope that people would not look at their inboxes in January and see just as much spam as they had in December and decide Sender ID is a failure. I think that would be entirely the wrong metric.”

What Sender ID will do is address phishing — scams which attempt to trick users into divulging sensitive information, such as credit card numbers or account passwords, by pretending to be from a legitimate source, and spoofing — sending e-mail purporting to be from someone it’s not.

“It’s also going to let legitimate senders stand up and be recognized; to be held accountable for their sending practices, and also be rewarded for good sending practices,” Hughes said.

While complying with Sender ID will not guarantee that mail will reach the intended inbox or avoid filtering, what it may do is give the message a better chance of getting through.

“That deliverability message is really important to the legitimate e-mail industry. Even the fact that it will be a consideration in weighing whether something gets into the inbox is a significant step forward in terms of deliverability,” Hughes said. “What I envision, and would expect in the next 12 months, is a day in which legitimate senders are authenticating all of their e-mail, and it is routinely being whitelisted and delivered directly into the inbox.”

That way, if someone violates the expectations of the subscriber, they can be held accountable, because now their identity is known. In addition, a whitelist of legitimate e-mail senders will allow ISPs to be more aggressive in labeling suspect messages as spam.

“Filtering is really good for 90 percent of spam, but once you try to get that last 10 percent, you start hitting false positives that become problematic. This is going to allow ISPs to have much greater confidence in filtering that last 10 percent of spam,” Hughes said.


FREE IBM Tools and Tutorials on XML and Java:
Validating XML
Rational Application Developer for WebSphere Software
XML Programming in Java Technology, Part 1
IBM Software Evaluation Kit (SEK)