A new e-mail authentication specification that digitally signs e-mail as it leaves an organization should complement, not compete, against another technology sponsored by Microsoft that is also vying for the messaging
Technical experts at Microsoft, IBM and other companies attending the E-mail Authentication Implementation Summit 2005 in New York this week supported a draft standard called DomainKeys Identified Mail (DKIM), which promises to guard against spoofing and phishing attacks.
Microsoft's Sender ID Framework technology is IP-based, in that it checks the address of the server from where the e-mail is sent against a registered list of servers that the domain owner has authorized to send e-mail.
But DKIM, which was crafted by Cisco Systems Inc. and Yahoo Inc., is similar to Microsoft's Sender ID in that both are designed to authenticate the identity of an e-mail sender. In both cases, there must be a record published in a company's Domain Name System (DNS) infrastructure.
"Phishing exploits are on the rise and consumers can't tell who the sender is," said Craig Spiezle, director of industry relations for Microsoft's Care and Safety team. "And companies have brands and reputations to protect when they send out mail on behalf of their company."
Forensic evidence vs. cryptographic evidence
Nathaniel Borenstein, a distinguished scientist at IBM, said authentication should be thought of in terms of an accumulation of evidence and there is no one way to have all the answers.
"DKIM is based on receiving cryptographic evidence and Sender ID provides forensic evidence," he said. "You identify yourself to police with a driver's license, and the police authenticate you with your fingerprints. One is proactive and the other is a systemized tracking of forensics."
Borenstein and Spiezle recommend using both technologies. However, the reality is that DKIM, which was only submitted to the Internet Engineering Task Force (IETF) this week, could take a year to be fully approved.
Both technologies have their plusses and minuses, but it's likely that there may be a need to have multiple technical solutions to fully approve identity, Spiezle said. Beyond the requirement for determining authentication, industry experts also have the technical problem of clearing a sender's reputation.
Separately at the conference, a technical coalition called the Messaging Anti-Abuse Working Group presented the results of a six-month study of the Sender Policy Framework and the Sender ID e-mail authentication technologies. The group offered no conclusions other than to say that more evaluation is necessary. The committee said it will also look at DKIM and the Client SMTP Validation protocols later this year.