Microsoft said yesterday it has revised Sender ID to make it backwards compatible with the original Sender Policy Framework, and has resubmitted the specification to the Internet Engineering Task Force. AOL said it now endorses the spec.
Today, a new Sender ID version is being submitted to the IETF that we believe fully addresses and answers AOL’s concerns, and those of many others in the online industry as well who shared those concerns, AOL said in a statement.
We basically formalized… what came out of the shutdown of the IETF working group, said Microsoft spokesperson Sean Sundwall. As reported last month, compromise was being sought on the technical details of the spec.
AOL in particular has helped us work through some issues that were a concern for them, Ryan Hamlin, manager of Microsoft’s Safety Technology and Strategy Group, said in a statement, calling the concession a big step forward.
Intellectual property arguments
Sender ID is a way for people to check whether email they receive came from a computer that was authorized to send it. Email senders publish a list of authorized IP addresses in their domain name system records, where recipients then do authorization lookups.
The specification was based on the Microsoft-designed Caller ID for E-mail and SPF, created by Pobox.com chief technology officer (CTO) Meng Wong, but standardization moves within an IETF working group fell apart a month ago after intellectual property arguments slowed the technical work.
At the same time, AOL, the biggest proponent of the original SPF, complained that Sender ID was not backwards compatible with SPF 1, which is already in use in 100,000 domains, and said it would not support Sender ID.
Microsoft says it has addressed both concerns with this week’s moves. Mr Sundwall said that Microsoft has amended its US patent applications to clarify that they do not cover SPF, which had been a concern of open source software advocates.
Open source incompatibility
IETF talks stalled after many working group participants grew concerned that Microsoft was asking commercial Sender ID implementers to sign a license agreement that, while royalty-free, was incompatible with open source licenses.
Mr Sundwall said that while the license has not changed, the patent amendments mean companies will only have to take out licenses with Microsoft if they implement specific parts of Sender ID – namely Purported Responsible Address (PRA) checks.
Now the Sender ID spec has essentially become split. People can choose to implement SPF’s Mail From check on their incoming email servers, which will not require a license, or they can implement PRA, which will.
The difference is that SPF version one and version two both look at a specific email header to determine which domain the sender claims to come from, and then compares the sender’s IP address to the SPF records in that domain’s DNS record.
The Microsoft PRA algorithm is more convoluted, looking at various data extracted from the email. Microsoft says its method is more flexible and better able to handle situations such as forwarded email.
While AOL is now officially lending its support to Sender ID once again, that seems to be because Sender ID has changed, not because AOL has changed what it is supporting in a technological sense.
It will continue to use the SPF components of Sender ID, without using the PRA check. Microsoft is currently rolling out PRA checks across Hotmail and MSN, and plans to have the rollout completed by the end of the year.
Companies claim Sender ID will reduce the amount of worms and phishing attacks that are received by email. But they stress that simply confirming that the server that sent the email matches the domain its claims to come from does not do anything to stop spam, unless combined with other filters and reputation services.
