Sender ID vs encryption, I

Published 13 November 2007

Fighting spam requires authenticating e-mail addresses on the fly; Microsoft-backed Sender ID battles with encryption-based schemes for adoption by enterprises

Microsoft-backed Sender ID, to be used in authenticating e-mail addresses, is not a favorite of the open source community, which has criticized it and an IETF working group which was trying to fashion it into a standard (it was disbanded before completing its work). Karen Epper Hoffman writes in Microsoft Certified Professional Magazine that be that as it may, industry watchers still expect the Microsoft-backed Sender ID to emerge as the most effective immediate solution to the problem of authenticating e-mail and, ultimately, stopping spam. Sender ID is a protocol jointly developed by Microsoft and Philadelphia, Pennsylvania-based which determines whether an e-mail is coming from the domain it claims to come from by validating the sender’s Internet Protocol (IP) address, which is much more difficult to fake than an e-mail address. Supporters say implementing such e-mail authentication technology will help substantially slow down spam, as well as phishing and spoofing attacks, because most of these scams utilize forged e-mail. There is controversy here, though, and it revolves around two key issues: How much control Microsoft would exert over the burgeoning authentication technology, especially if it becomes a standard; and, longer term, whether Sender ID’s way of validating an e-mail’s origin is effective enough for e-mail providers and enterprises to embrace.

Hoffman writes that the main alternatives to Sender ID are encryption-based schemes like Yahoo DomainKeys and Cisco’s Identified Internet Mail, both of which use a cryptographic signature within the message to verify the sender’s identity. Proponents of such schemes say they do a better job at validating the identity of the user, something no one denies. The question is whether that added validity is worth the price in complexity and expense which it takes to implement an encryption-based scheme. “While there are certain technical advantages to DomainKeys, organizations will go with Sender ID because it offers good enough protection and because it is easier to implement,” concludes Jonathan Penn, a principal analyst for Forrester Research, in a recent brief.

Tomorrow: Comparing Sender ID and encryption-based protection schemes