Computerworld
Print Article
Close Window

EarthLink to test sender authentication for e-mail

The technology aims to cut down on spoofed e-mails and spam

Paul Roberts
 

March 3, 2004 (Computerworld)

Internet service provider EarthLink Inc. will soon begin testing new e-mail security technology, including Microsoft Corp.'s recently released Caller ID technology, a company executive said.
EarthLink will be experimenting "very soon" with sender-authentication technology, including Caller ID and a similar plan called Sender Policy Framework (SPF), said Robert Sanders, chief architect at EarthLink. The Atlanta-based Internet service provider will also evaluate other e-mail security proposals, but it isn't backing any specific technology, he said.
Plans to secure e-mail by verifying the source of e-mail messages have garnered much attention in recent months, as the volume of unsolicited commercial e-mail has swelled and the number of Internet scams has increased.
Spammers and Internet-based criminals often fake, or "spoof," the origin of e-mail messages to trick recipients into opening them and trusting their content. Sender-authentication technologies attempt to stop spoofing by matching the source of e-mail messages with a specific user or an approved e-mail server for the Internet domain that the message purports to come from.
So far, EarthLink has stayed out of the sender-authentication fray, while Web-based e-mail services, including Yahoo Inc. and Hotmail as well as Internet service provider America Online Inc., have all backed slightly different sender-authentication proposals.
Yahoo is promoting an internally developed technology called DomainKeys, that uses public-key cryptography to "sign" e-mail messages. AOL said in January that it's testing SPF for outgoing mail, publishing the Internet Protocol addresses of its e-mail servers in an SPF record in the Domain Name System. Finally, Microsoft-owned Hotmail is publishing the addresses of its e-mail servers using that company's recently announced Caller ID standard.
EarthLink believes that sender authentication is necessary and is prepared to support multiple sender-authentication standards. However, the company hopes that one clear winner emerges from the field of competing proposals, Sanders said.
"I don't think it's unlikely that we'll see two or three coexisting proposals go into production," he said. "We had hopes that they would be able to merge, but I think at this point each standard adds a different function, and we're unlikely to see a merger."
For now, Caller ID and SPF will probably make it into production first, because neither requires companies to deploy new software to participate in the sender-authentication system, Sanders said.
EarthLink is also interested in proposals such as Yahoo's DomainKeys, which allows e-mail authors to cryptographically sign messages, enabling recipients to verify both the content of a message and its author. However, DomainKeys is more complicated to deploy than either Caller ID or SPF and requires software changes that will slow its implementation, he said.
EarthLink is interested in the results of its own trial deployments, as well as those of other organizations. "We have to get real-world data from people who have deployed SPF or Caller ID," Sanders said.
The company is also a member of the Anti-Spam Technical Alliance, an industry group that includes Microsoft, AOL, Yahoo, Comcast Holdings Corp. and British Telecommunications PLC.
Microsoft's backing of Caller ID and its plans to use that technology for Hotmail tips the scales in favor of that technology, he said.
"One factor that determines what you, as an e-mail sender, deploy is the important question of, 'Who am I sending mail to?' What the larger [e-mail] receivers deploy is what you're going to support," Sanders said.