Updated: The Internet giant plans to fight spam by implementing the industry-standard Sender Policy Framework instead, citing tepid support for Sender ID in the open-source community.
America Online Inc.s announcement Wednesday that it would abandon its attempts to support Microsofts Sender ID e-mail authentication standard are a serious setback for the Redmond, Wash., software company.
"Given recent concerns expressed by the Internet Engineering Task Force [IETF], coupled with the tepid support for Sender ID in the open-source community, AOL has decided to move forward with SPF-only checking on inbound e-mail at this time," AOL spokesman Nicholas Graham said in a statement.
AOL still will provide Sender ID information for outgoing mail so that its users can communicate with e-mail providers using that system, but that will be the limit of support for the standard. AOL, meanwhile, is moving ahead with its plans to implement the industry-standard Sender Policy Framework. The company said in June that it would require all of its whitelisted mailers to use SPF by the end of summer 2004.
Graham said AOLs concerns went beyond just industry standards when it made the decision to dump support for Sender ID.
"AOL has been especially concerned at the lack of acceptance for Sender ID among the free and open-source online community, though it should be made clear that licensing of Sender ID technology has never been a focus of concern for the company and its potential deployment of Sender ID technology," Graham said in the statement.
Microsoft officials downplayed the impact of AOLs announcement, saying they didnt view it as an abandonment of Sender ID. Like AOL, Microsoft will publish records for both authentication schemes but check for only one, Microsoft spokesman Sean Sundwall said. Microsoft will check the PRA (Purported Responsible Address) mechanism that it originally proposed for Sender ID, while AOL will use SPF, the method it long has backed.
"While its always cleaner and nicer to just have one, two is better than five or 10," Sundwall said.
Microsoft is optimistic that MARID will support a framework for Sender ID that allows for both mechanisms, he said.
Already, there are calls not to drop Sender ID from the picture. The E-mail Service Provider Coalition would prefer support for both standards.
"Sender ID solves the forgery problems that pose the biggest threat to consumer confidence in e-mailthese are not addressed by SPF," Margaret Olson, chief technology officer at Constant Contact and co-chairwoman of the ESPC Technology Committee, said in a statement. "Senders were publishing both SPF and Sender ID records before the AOL announcement, and nothing has changed."
More trouble may be ahead for Microsoft and Sender ID. The FTC (Federal Trade Commission) announced this week that the agency, along with the National Institute of Standards and Technology, would sponsor a two-day e-mail authentication summit starting Nov. 9.
The summit would examine whether any of the current or proposed standards would actually decrease spam, whether they would provide problems for e-mail providers and whether such a standard could be adopted Internetwide. The last point could prove to be a problem for Microsoft because of the proprietary nature of Sender ID.
Sender ID will soon be history, Security Center Editor Larry Seltzer writes. Click here to read more.
The e-mail authentication summit is being held in response to a provision in the CAN-SPAM Act, passed by Congress in January, that called for the FTC to examine the idea of a "Do Not Spam" registry similar to the highly successful "Do Not Call" list that the FTC implemented last year.
But Wednesdays report from the FTC recommended against such a registry for spam, saying it might make spam worse because spammers would instead use the list as a source of valid e-mail addresses.
Editors Note: This story was updated to include comments from Microsoft.Matt Hicks of eWEEK.com contributed to this report.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.
He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.