Microsoft e-mail spec dovetails with Cisco-Yahoo effort

Microsoft's Sender ID and the newly proposed DomainKeys Identified Mail are both authentication standards, but they fight different problems, experts say.

A new e-mail authentication specification that digitally signs e-mail as it leaves an organization should complement, not compete, against another technology sponsored by Microsoft that is also vying for the messaging

DKIM is based on receiving cryptographic evidence and Sender ID provides forensic evidence.


Nathaniel Borenstein, IBM distinguished scientist

,
industry's blessing.

Technical experts at Microsoft, IBM and other companies attending the E-mail Authentication Implementation Summit 2005 in New York this week supported a draft standard called DomainKeys Identified Mail (DKIM), which promises to guard against spoofing and phishing attacks.

Microsoft's Sender ID Framework technology is IP-based, in that it checks the address of the server from where the e-mail is sent against a registered list of servers that the domain owner has authorized to send e-mail.

But DKIM, which was crafted by Cisco Systems Inc. and Yahoo Inc., is similar to Microsoft's Sender ID in that both are designed to authenticate the identity of an e-mail sender. In both cases, there must be a record published in a company's Domain Name System (DNS) infrastructure.

"Phishing exploits are on the rise and consumers can't tell who the sender is," said Craig Spiezle, director of industry relations for Microsoft's Care and Safety team. "And companies have brands and reputations to protect when they send out mail on behalf of their company."

Forensic evidence vs. cryptographic evidence

Nathaniel Borenstein, a distinguished scientist at IBM, said authentication should be thought of in terms of an accumulation of evidence and there is no one way to have all the answers.

Related links

Blocking spammers with DNS blacklists

 

Opinion: Why Sender ID is a non-starter

"DKIM is based on receiving cryptographic evidence and Sender ID provides forensic evidence," he said. "You identify yourself to police with a driver's license, and the police authenticate you with your fingerprints. One is proactive and the other is a systemized tracking of forensics."

Borenstein and Spiezle recommend using both technologies. However, the reality is that DKIM, which was only submitted to the Internet Engineering Task Force (IETF) this week, could take a year to be fully approved.

Both technologies have their plusses and minuses, but it's likely that there may be a need to have multiple technical solutions to fully approve identity, Spiezle said. Beyond the requirement for determining authentication, industry experts also have the technical problem of clearing a sender's reputation.

Separately at the conference, a technical coalition called the Messaging Anti-Abuse Working Group presented the results of a six-month study of the Sender Policy Framework and the Sender ID e-mail authentication technologies. The group offered no conclusions other than to say that more evaluation is necessary. The committee said it will also look at DKIM and the Client SMTP Validation protocols later this year.

Dig deeper on Spam and virus protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close