E-Mail-Authentication Problems Spawn New AppsE-Mail-Authentication Problems Spawn New Apps

While America Online, Microsoft, and the open-source community agree to disagree about E-mail-authentication standards, some companies are stepping up to bridge the divide.

Port25 Solutions Inc., a maker of E-mail gateway software for legitimate commercial mail senders, has released a new version of PowerMTA, geared to address E-mail-authentication specs and accreditation services, along with E-mail fraud, message delivery, and sender reputation.

Bill Karpovich, senior VP of marketing at Port25, says the company is the first with outbound support for both Microsoft's Sender ID and Yahoo Inc.'s DomainKeys, two leading E-mail-authentication schemes.

Outbound support will become increasingly significant for commercial E-mail senders as major Internet service providers and E-mail service companies more closely scrutinize incoming E-mail for authentication data. Failure to support message-authentication specs will begin curbing delivery rates.

"As evidenced by everyone's announcements over the past couple of weeks," Karpovich says, referring to statements made for and against Sender ID, "there're going to be different standards."

Port25 is offering to deal with the headaches created by a lack of standards. "All that complexity is what we are going to encapsulate," he says.

Other companies are pursuing similar goals. IronPort Systems Inc., a competing E-mail infrastructure vendor, disclosed its intent to support Sender ID in August and has been working with Yahoo as well.

"Domain authentication proposals like SPF [Sender Policy Framework] provide a critical building block in solving the E-mail-security crisis but aren't useful today without reputation and policy systems," Craig Taylor, VP of technology at IronPort, writes via E-mail. "This is demonstrated by the fact that while there are lots of senders publishing SPF records today, only a few brave E-mail receivers reject or accept mail based on SPF alone."

Sendmail Inc., another enterprise E-mail company, released the first implementation of the Sender ID spec at the end of August as an open-source plug-in to the sendmail MTA, the most popular E-mail-routing software. The company has been testing DomainKeys and has already released a DomainKeys mail filter for checking inbound E-mail compliance.

A Microsoft spokesman notes that while Sender ID has had a tough week, he expects that the week to come will bring a revised authentication specification from the Internet Engineering Task Force, one that reconciles both the standards Microsoft advocates and those favored by the open-source community.

The rift over Sender ID may shift more attention to Yahoo's DomainKeys proposal, which many in the industry see as a stronger authentication system. DomainKeys uses a cryptographic digital header to verify the sender and, unlike Sender ID, the integrity of the message content.

Despite disagreements about authentication standards, pretty much every commercial enterprise on the Internet concurs that something needs to be done to address domain spoofing and phishing.

Research firm Gartner puts the cost of E-mail fraud to U.S. banks and credit companies at $1.2 billion last year, to say nothing of the cost to consumers in terms of time, money, and aggravation. While authentication won't put an end to fraud, experts see it as a necessary step to address the rampant misuse of the Internet.