• United States

Vendors look to sender authentication

Apr 08, 20042 mins
Enterprise ApplicationsMalwareMessaging Apps

* Three proposals for authenticating senders to reduce spam

Because so much spam is sent from forged e-mail addresses, a potentially effective way to stop a significant percentage of spam would be to use a mechanism that verifies that a sender’s identity matches the information contained in the e-mail header.

There are several approaches that have been put forth by leading messaging vendors:

* Caller ID: This Microsoft system involves the comparison of a sender’s e-mail to the IP addresses for each domain’s outgoing mail servers that have been published in the DNS. The recipient’s e-mail system is responsible for making sure that each e-mail message it receives is consistent with the domain’s published information.

* DomainKeys: This Yahoo system involves the generation of a signature in the header of an e-mail message using public/private key cryptography. Each incoming message is then checked against the sender’s public key that is available via the DNS.

* Sender Policy Framework: In this Pobox system, SPF records – lists of e-mail servers authorized to send e-mail for each domain – are published in the DNS. When a message is received, the receiving system checks to see if the sender’s server is authorized to send e-mail for that domain.

None of these approaches will eliminate spam and so are not intended to eliminate the need for good spam filtering technology. The companies that have put forth these approaches are not claiming that they are a panacea for the spam problem, but instead casting them as merely another step toward solving the problem. Further, each approach has some drawbacks that in some cases will require changes in e-mail sending practices, upgrades to messaging systems and the like.

Each system is still very much in the early stages, and proponents of each system are still coming on board. Consequently, it is far too early to tell which authentication scheme will eventually win out, or if any of these three will.

I’d like to hear your thoughts on any or all of these approaches or, in the alternative, an approach that you believe would work even better. Please drop me a line at