Sendmail takes Sender ID into open source territory

One of the leading proponents of authentication is Sendmail, which wants to represent the open source community for the Sender ID authentication scheme, the merger of Microsoft’s Caller ID and the Sender Policy Framework.

This week, Sendmail will make available an open source Sender ID “milter” (mail filter), a plug-in for the Sendmail message transfer agent that will check to see if senders’ authentication information has been registered in the domain system. The milter will place the results of that authentication check into a header that it adds to a message that indicates whether authentication information is present for the sender’s domain and, if so, whether the authentication information is valid.

This is the first implementation of Sender ID and is intended for public testing.

Sendmail is working closely with Microsoft on Sender ID and has negotiated a license so that Sendmail can open source the authentication system and deal with patent rights and related issues.

Authentication is viewed by many as the next major step forward in dealing with the spam problem. Much like verifying that a letter’s return address actually matches the identity of the sender, authentication should go a long way toward reducing spam and spam-related problems like phishing.

Sendmail is also supporting an alternative authentication scheme – Yahoo DomainKeys – and has had an open source version of it in testing for about two months. Although DomainKeys was originally assumed to be quite resource-intensive, Sendmail’s testing has proven this not to be true. The company’s testing on messaging system performance, using typical message sizes, has shown server processing overhead of about 15% for inbound e-mail traffic and just under 8% for outbound traffic.

Sendmail is also working on some other interesting tools using authentication that will be the subject of a future newsletter.

So as an e-mail administrator or someone who is otherwise responsible for managing an e-mail system, what are best practices regarding authentication? One best practice is to create a Sender ID/SPF record in your domain within the next month or so. Microsoft will begin checking incoming mail for the presence of this information beginning in October, and many organizations will follow suit in the near future. While messages that don’t contain authentication information won’t be rejected, the presence of this information will speed the delivery of e-mail. Another best practice is to implement multiple authentication schemes; much like you can buy a product with any of several credit cards, ultimately several authentication schemes are likely to be used.

I’ll discuss more on authentication in an upcoming newsletter, but would appreciate your feedback on this topic. What do you think of authentication and it’s role in your messaging infrastructure, either as a sender of e-mail or as a recipient? Please drop me a line at mailto:michael@ostermanresearch.com