America Online Inc. (AOL) has decided not to fully support Microsoft Corp.’s Sender ID spam-fighting plan after the Internet Engineering Task Force (IETF) and the open- source community expressed intellectual property concerns.
“AOL will now not be moving forward with full deployment of the Sender ID protocol,” spokesman Nicholas Graham said in a statement sent via e-mail Thursday. Instead, the Dulles, Virginia-based ISP (Internet service provider) will support only the sender policy framework (SPF) to fight spam by verifying the source of e-mail sent to its users, he said.
AOL’s rejection comes a week after an IETF group considering Sender ID as a standard said the proposal needed rewriting. Earlier this month, open-source groups the Apache Software Foundation and the Debian Project dismissed Sender ID because the license would prevent them from supporting the technology.
AOL is concerned about the lack of acceptance for Sender ID in the open-source community, Graham said. Additionally, the ISP is afraid that recent changes to Sender ID will make it incompatible with the original SPF specification, he said. AOL had endorsed Sender ID when it was submitted to the IETF in June.
While AOL’s decision could be seen as another setback for Sender ID, Microsoft said AOL’s action is fully in line with the Sender ID proposal, which is being revised.
Support for SPF essentially equals support for Sender ID, said Microsoft spokesman Sean Sundwall. “AOL’s decision to conduct just the SPF check reflects exactly the flexibility provided by the Sender ID proposal. Sender ID is still alive and there are two ways to do the checking,” he said.
Sender ID combines SPF, developed by Meng Weng Wong of Pobox.com, and the Microsoft-developed Caller ID specification. In May, Microsoft and Meng agreed to merge their proposals and submitted it to the IETF a month later.
The Sender ID proposal to the IETF is being rewritten to allow flexibility on which checking method is used, either the SPF method or a check for the Purported Responsible Address, which was first published as part of Microsoft’s original Caller ID plan, Sundwall said. “AOL’s news is much ado about nothing,” he said.
Microsoft and Wong propose Sender ID as a standard for e-mail authentication, designed to prevent faking of e-mail addresses and the origin of an e-mail message. Criminals have used the ability to forge the origin of an e-mail, for example, in schemes to send e-mail that looks like it is from a bank and tricks users into giving up personal information.
With SPF, organizations publish a list of their approved outgoing e-mail servers, called an SPF record, in the DNS (Domain Name System). That SPF record is then used to verify the source of e-mail messages sent to other Internet domains. Microsoft’s Caller ID works in a similar way.
AOL is not completely backing out of Sender ID. While it won’t check Sender ID records on mail coming in, it will publish Sender ID records for outbound mail, Graham said.
AOL said it is also looking at Domain Keys, a technology developed by rival Yahoo Inc., for possible use in tandem with SPF. With Domain Keys each e-mail gets a digital signature to verify its source.