Here's a different Microsoft/Yahoo story

As usual, Microsoft is going its own way when it comes to fighting e-mail fraud. But the good news for corporate IT executives is that Microsoft’s preferred approach, known as Sender ID, works with the emerging industry standard, DomainKeys Identified Mail (DKIM), which is backed by Yahoo, Google and others. (Read a Q&A with a Yahoo executive on DKIM and beyond.)

Sender ID requires ISPs and companies to publish Sender Policy Framework (SPF) records to identify their e-mail servers. SPF is an extension to the Simple Mail Transfer Protocol. 

DKIM, which was developed by the Internet Engineering Task Force, uses mail transfer agents to cryptographically sign outbound mail and to check inbound mail for DKIM signatures.

Click to see: Chart of how companies are protecting their e-mail

Many organizations recommend adopting both Sender ID and DKIM. These include BITS, which represents the 100 largest U.S. financial institutions, and the Authentication and Online Trust Alliance (AOTA).

``We endorse Sender ID and DKIM as complementary,’’ says Craig Spiezle, chairman of AOTA. ``Combined, they really provide comprehensive protection.’’

Sender ID has been widely deployed, while DKIM deployments are just beginning. For example, PayPal deployed Sender ID in early 2007 and is now deploying DKIM.

AOTA reports that 52% of the top consumer-facing financial service brands are authenticating their e-mail through Sender ID or DKIM. In addition, 54% of Internet retailers are using one of these approaches to authenticate their e-mail. AOTA studied over 100 million e-mails sent by Fortune 500 brands over a five-month period.

Overall, 37% of Fortune 500 companies are using Sender ID or DKIM, the study found. This is a significant increase from two years ago, when less than 10% of the Fortune 500 were authenticating outbound e-mail., AOTA says.

``It’s not a Sender ID or DKIM issue in my mind,’’ Spiezle says. ``It’s really about how they can be jointly deployed to provide overlapping strength.’’

Despite the industry momentum around DKIM, Microsoft won’t commit to it.

``E-mail authentication technology is an important method for helping to protect consumers and businesses from e-mail threats, such as spam and phishing,’’ a Microsoft spokesman said in a statement. ``Microsoft views DKIM as a complementary technology to the Sender ID framework, which was developed jointly by Microsoft and industry partners. Microsoft is constantly looking for new ways to bolster defenses and is investigating DKIM’s application, but has no firm plans to support it at this stage.’’

In the meantime, companies that want to deploy both Sender ID and DKIM will need to buy software or appliances from third-party vendors like Sendmail and IronPort.

``Microsoft has not committed to supporting DKIM,’’ says Greg Olson, director of product management at Sendmail. ``Microsoft is putting their weight behind their own sender authentication strategy called Sender ID. But Microsoft Exchange can work with a DKIM appliance. A Microsoft customer would need a third-party product to do DKIM.’’