E-mail Authentication: The Choices

Some observers criticize IT vendors for not agreeing on a single, standard way for dealing with evil e-mail. The key e-mail authentication protocols are Microsoft's Sender ID Framework (SIDF), with its Sender of Policy Framework (SPF) records, and the rival Yahoo/Cisco DomainKeys Identified Mail (DKIM).

But a good case can be made that e-mail senders, Internet service providers and e-mail recipients should use both SIDF and DKIM.

"Domain owners are well advised to publish information using both standards, and e-mail recipients can use both standards to help filter spam," says Richi Jennings, an e-mail security analyst at Ferris Research Inc. in San Francisco.

The future of e-mail

E-mail authentication: The choices

Q&A: The morphing of e-mail

The future of electronic communications: Alternate realities

Internet e-mail: Could we start over?

E-mail overload: How the pros handle it

But, he adds, "DKIM is better because the methods used to verify that the sender was authorized to use that domain are stronger. SPF/Sender ID has issues with mail lists and other things that autoforward mail."

DKIM is stronger, Jennings says, because it generates cryptographic hashes of content using keys owned by the e-mail sender's domain, while SIDF is simply based on which IP address the message comes from. "This means that DKIM is harder to set up and a little more expensive in terms of computing horsepower," he says.

John Scarrow, Microsoft's general manager of antispam and antiphishing strategy, agrees that the approaches are complementary. "By utilizing both, e-mail senders receive optimal protection and functionality across the board," he says. He acknowledges that DKIM is better for automatic forwarding by servers, such as when a user configures his Hotmail account to automatically forward messages to his Microsoft account.

But Scarrow argues that DKIM requires users to upgrade to both outbound and inbound message-transfer agents (MTA), such as Microsoft's Exchange Server, and affects "about 10% to 15% of computing cycles, while SIDF has no outbound impact to the MTA and negligible impact to any computing resources."


Copyright © 2006 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon