Linux.com

Sendmail takes sender authentication seriously

Sendmail plans to test many mainstream sender authentication schemes in order to figure out which ones, or which combinations, are effective at reducing or eliminating unwanted email messages. Once a set of effective schemes is identified, Sendmail plans to release plug-ins for both the open source sendmail Mail Transfer Agent (MTA) and Sendmail's commercial email message products. Testing is currently taking place and will continue through the second quarter, with an expected release of the open source plug-ins sometime in the third quarter. Sendmail's Todd Blaschka said, "Our approach is that these schemes will remain invisible to the end user. There is no 'winner take all' from the OS or applications perspective as to what scheme becomes dominant."

One of the first schemes receiving Sendmail's attention is DomainKeys, which Yahoo! announced late last year as a way to combat spoofed email. The DomainKey scheme uses public/private key cryptography as its authentication method. DomainKeys digitally signs an outgoing email message with a private key. The system receiving the message uses public key data to validate the message and allow it through.

Sendmail plans to test the Yahoo! DomainKeys scheme with a variety of open standards in efforts to help a more rapid adoption across the Internet in through the second quarter. At this time Sendmail is uncertain about how the release schedule will look, but the plan is to release an open source package that will enable other email systems to generate and validate the DomainKeys authentication information, as well as the other schemes when Sendmail has determined they are effective and ready for release.

Sendmail also endorsed Microsoft's Caller ID for E-mail technology, which Bill Gates announced yesterday. Sendmail will develop an open source plug-in based on Microsoft's Caller ID spec. Caller ID is designed to perform an IP check of the email header against a published text record in the domain's DNS record. George Webb, Microsoft's group business manager, anti-spam technology and strategy team, explained, "We took one year of development before we released the spec, working outside of Microsoft and with feedback with other partners. The whole goal is to solve the spam problem, which requires teamwork and partnership. Signature-based and IP-based solutions are both promising and complementary as part of a long-term solution."

The Caller ID pilot test includes outbound mail passing through Microsoft.com, Amazon.com, and Hotmail.com, as well as Sendmail. Inbound Caller ID tests are scheduled for early summer. Microsoft declined to reveal whether it will be incorporating other sender authentication schemes in its products.

Sendmail has chosen not to test Sender Policy Framework (SPF), another popular sender authentication scheme SPF is an extension to the SMTP standard that requires MX records to add SPF protocol information which checks DNS to see if the originating IP address on the message comes from the originating domain. This sender authentication scheme provides a way for MTAs to verify that an email message came from where it claims to have come from before moving it to users' inboxes.

"Anything done to fight spam is a good thing, " said Mark Levitt, vice president for collaborative computing at IDC. "Winning the war on spam will take many players on many different levels cooperating with service providers and users. There is no wrong way to fight spam, and it will take a coordinated effort, the challenge being to take the money out of spam, and make it harder to do business as spammers."

Sender authentication will not solve the spam problem alone, Levitt concedes, "but it's a welcome sharing of technology that is a good step to dedicate product strategies towards fighting spam instead of commercializing products."

Sender authentication technology will be just one on many ways to combat spam alongside legislative efforts, other technologies, and user education, Levitt said.