For the past several months a standards group of the Internet Engineering Task Force named MTA Authorization Records in DNS, or MARID, has labored to form a proposed standard for SMTP authentication. That effort will move along one step this week at the 60th IETF meeting in San Diego.
Based originally on SPF (Sender Policy Framework), an effort driven by Meng Weng Wong, co-founder and CTO of Pobox.com, it has grown in scope to include many other functions, most controversially the authentication of mail header data. The result is a set of documents defining Sender ID, which the IETF will consider for advancement in the standards process.
The aim of SMTP authentication is to impose some rules on an Internet e-mail system that heretofore, when an Internet e-mail message is sent purporting to come from a particular address, there is no verification process to confirm that it did come from that address. Spammers, phishers and virus authors know this full well and use the fact to disguise the source of their messages.
Sender ID does not pretend to be a full anti-spam solution, just a necessary part of one. Meng Wong describes a framework called Aspen under which spam is addressed by authentication, accreditation and reputation. Accreditation, according to Wong, "lets third parties vouch for senders with whom they have a prior relationship." Reputation is more of a ratings system for senders and accreditors.
Many companies, including Brightmail (recently purchased by Symantec), have entered the reputation service business. Sender ID directly enables authentication and accreditation and touches on reputation. It is also backward-compatible with SPF.
SPF and almost all the many variants discussed in the working group set rules for the authorization to send mail by putting new records in the domains DNS (hence the name MARID). Understanding the specifications and the arguments between participants in the standards process often requires expert understanding of DNS jargon.