Secure E-Mail Specs Could Merge

After submitting its Caller ID e-mail authentication specification to a standards body, Microsoft is discussing merging its spec with another, called Sender Policy Framework, or SPF.

E-mail experts from Microsoft will spend a weekend meeting with SPF author Meng Weng Wong of Pobox.com, looking for ways to merge the closely-related Caller ID and SPF standards, according to Wong.

"Basically, we're going to take SPF and Caller-ID and do a 'cut and paste,'" Wong said Friday, en route to Microsoft headquarters.

Microsoft's Pitch

Microsoft unveiled its plans at its recent RSA Data Security conference, in a keynote by Bill Gates, chairman and chief software architect. Caller ID makes it harder to doctor unsolicited commercial, or spam, e-mail so it appears to come from legitimate Web domains. Microsoft submitted Caller ID to the Internet Engineering Task Force (IETF) earlier this week.

With Caller ID, e-mail senders publish the IP address of their outgoing e-mail servers as part of an XML format e-mail "policy" in the Domain Name System (DNS) record for their domain. E-mail servers and clients that receive messages can then check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that don't match the source address can be discarded, Microsoft says. DNS is the system that translates numeric IP addresses into readable Internet domain names.

SPF is very similar to Caller ID, and also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only allows receiving domains to verify the "bounce back" address in an e-mail's envelope, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

The "from" address checked by Caller ID is often a more accurate indicator of the message's origin than the bounce address, says John Levine, a member of the Internet Research Task Force's Anti-Spam Research Group.

Microsoft and Wong have been discussing a merger of the two standards since January. Leading ISPs and other stakeholders are pressuring them to reconcile the two, Wong says.

"In the last six months or so, there's been a fair amount of uncertainty" about sender authentication, Wong says. "These are two very similar proposals and do many of the same things. The big players have been telling us 'When you get your story straight, we can go ahead,' but until that happens, people have been waiting to see what happens."

Playing Nicely

To produce a merged standard, both parties could agree to add Caller ID's ability to check the message's "from" address, or what is referred to as the Purported Responsible Domain, to SPF. That would allow e-mail domains using the new standard to spot threats such as online cons known as "phishing scams," but also save them from having to download the full message's text to verify its authenticity, which Caller ID requires, Wong says.

"It's an idea that enables a lot of things most people want," Wong says.

However, implementing that would require changes to the SMTP standard that is the foundation for the e-mail system, and updates to existing mail software packages for every e-mail sender and recipient who want to participate, Levine says.

"SMTP has worked the same way for 20 years. ... If the solution is that we get to change the way SMTP works, there's a long list of other things we'd like to change about it, too," he says.

Wong acknowledges that the change to SMTP will require software changes from organizations that make e-mail software. Then, mail administrators would have to deploy the updates. However, the transition could happen quickly if the new standard is backed by large companies like Microsoft and leading ISPs.

Wong says the two companies recently discussed the merged standard with representatives from leading ISPs at an IETF meeting in San Francisco and met with approval.

"There were a lot of important players in the room and a lot of heads nodding," he says.

Yahoo's Entry

Less clear is the fate of a related standard from Yahoo called DomainKeys.

Yahoo submitted a draft for DomainKeys to the IETF standards body on Monday to begin the standardization process. The company is one of a number of industry players, including Microsoft, proposing technologies to make it harder for e-mail senders to fake the origin of messages.

DomainKeys works differently than Caller ID and SPF, using encryption to generate a signature based on the e-mail message text that is placed in the message header, says Miles Libbey, antispam program manager at Yahoo.

Levine believes that Yahoo's technology is more secure than Caller ID and SPF, because even if an e-mail message gets forwarded across various e-mail servers, its signature stays intact. The receiving system can still verify its origin.

"By the time we get to the future, hopefully all e-mail messages will be (cryptographically) signed, but today nobody is signing e-mails at all," Wong says.

While DomainKeys is a better long-term fix for the spam problem, Caller ID and SPF--or a merged standard--have the advantage of being lightweight and easy to implement, while closing many of the technical loopholes exploited by spammers, both Levine and Wong say.

"Something is going to change because the pain of spam is excruciating," Levine says. "Doing nothing isn't an option."