After submitting its Caller ID email authentication specification to a standards body, Microsoft is discussing merging its spec with another, called sender policy framework, or SPF.
Email experts from Microsoft will spend a weekend meeting with SPF author Meng Weng Wong of Pobox.com, looking for ways to merge the closely-related Caller ID and SPF standards, according to Wong.
"Basically, we're going to take SPF and Caller-ID and do a 'cut and paste,'" Wong said Friday, en route to Microsoft headquarters.
Microsoft unveiled its plans at its recent RSA data security conference, in a keynote by Bill Gates. Caller ID makes it harder to doctor unsolicited commercial email, or spam, so it appears to come from legitimate Web domains. Microsoft submitted Caller ID to the Internet Engineering Task Force (IETF) earlier this week.
With Caller ID, email senders publish the IP address of their outgoing email servers as part of an XML format email "policy" in the Domain Name System (DNS) record for their domain. Email servers and clients that receive messages can then check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. Email messages that don't match the source address can be discarded, Microsoft says. DNS is the system that translates numeric IP addresses into readable Internet domain names.
SPF is very similar to Caller ID, and also requires email senders to modify DNS to declare which servers can send mail from a particular Internet domain.
However, SPF only allows receiving domains to verify the "bounce back" address in an email's envelope, which is sent before the body of a message is received and tells the receiving email server where to send rejection notices.
The "from" address checked by Caller ID is often a more accurate indicator of the message's origin than the bounce address, says John Levine, a member of the Internet Research Task Force's Anti-Spam Research Group.
Microsoft and Wong have been discussing a merger of the two standards since January. Leading ISPs and other stakeholders are pressuring them to reconcile the two, Wong says.
"In the last six months or so, there's been a fair amount of uncertainty" about sender authentication, Wong says. "These are two very similar proposals and do many of the same things. The big players have been telling us 'When you get your story straight, we can go ahead,' but until that happens, people have been waiting to see what happens."
To produce a merged standard, both parties could agree to add Caller ID's ability to check the message's "from" address, or what is referred to as the Purported Responsible Domain, to SPF. That would allow email domains using the new standard to spot threats such as online cons known as "phishing scams", but also save them from having to download the full message's text to verify its authenticity, which Caller ID requires, Wong says.
"It's an idea that enables a lot of things most people want," Wong says.
However, implementing it would require changes to the SMTP standard that is the foundation for the email system, and updates to existing mail software packages for every email sender and recipient who want to participate, Levine says.
"SMTP has worked the same way for 20 years. If the solution is that we get to change the way SMTP works, there's a long list of other things we'd like to change about it, too," he says.
Wong acknowledges that the change to SMTP will require software changes from organisations that make email software. Then, mail administrators would have to deploy the updates. However, the transition could happen quickly if the new standard is backed by large companies like Microsoft and leading ISPs.
Wong says the two companies recently discussed the merged standard with representatives from leading ISPs at an IETF meeting in San Francisco and met with approval.
"There were a lot of important players in the room and a lot of heads nodding," he says.
Less clear is the fate of a related and potentially more effective standard from Yahoo called DomainKeys.
Yahoo submitted a draft for DomainKeys to the IETF standards body on Monday to begin the standardization process. The company is one of a number of industry players, including Microsoft, proposing technologies to make it harder for email senders to fake the origin of messages.
DomainKeys works differently than Caller ID and SPF, using encryption to generate a signature based on the email message text that is placed in the message header, says Miles Libbey, antispam program manager at Yahoo.
Levine believes that Yahoo's technology is more secure than Caller ID and SPF, because even if an email message gets forwarded across various email servers, its signature stays intact. The receiving system can still verify its origin.
"By the time we get to the future, hopefully all email messages will be (cryptographically) signed, but today nobody is signing emails at all," Wong says.
While DomainKeys is a better long-term fix for the spam problem, Caller ID and SPF, or a merged standard, have the advantage of being lightweight and easy to implement, while closing many of the technical loopholes exploited by spammers, both Levine and Wong say.
"Something is going to change because the pain of spam is excruciating," Levine says. "Doing nothing isn't an option."