Page III: For almost two years, I've argued for a non-proprietary, interoperable, freely deployable anti-spam standard, even as every spam-fighting solution I've seen has failed to pass muster. Until now.
DomainKeys, however, adds new information to an e-mail as it's being sent. That information stays with the e-mail when it's forwarded, which in turn preserves the integrity of the comparison that the final receiving system must make to data that's stored in the DNS when attempting to authenticate a sender. This, in combination with DomainKeys' use of cryptography to secure that data, is one of the reasons that DomainKeys is not considered to be a competing specification. Instead, DomainKeys is seen as complementary, and proponents of SPF and CallerID, including Microsoft's Sundwall, regard the rollout of DomainKeys, or something like it, as a natural second phase once the easier specifications are deployed.
"Spoofing is a humongous problem that needs to be solved now," said Sundwall. "We think DomainKeys is a great idea. We just don't want to wait. We see it being implemented on top of CallerID, SPF, or a specification that's a merger of the two." Sundwall said Microsoft is working closely with Meng Weng Wong, the developer of SPF, to figure out how the two specifications can be merged.
Should any of the three specifications (or some IETF-inspired permutation) penetrate the Internet to the point that most MTAs are interoperating over them, the question then becomes: What's next? Most people I've spoken with think some sort of reputation management system comes next.
IronPort is one company attempting to address the idea of a reputation service through a protocol it calls SMTPi. But the ePrivacyGroup's Schiavone thinks that's putting the cart before the horse. "Once you've established the 'who', there are still two more pieces of information that are more important than reputation: the 'what' and the 'why,' " said Schiavone. "What are you sending to me and why are you sending it? You are David Berlind from ZDNet, you are sending me a newsletter, and you're sending it to me because I [requested it.]."
TEOS, as Schiavone describes it, is about providing the sort of granular information that helps recipients separate the wheat from the chaff. "The beauty of such granularity," said Schiavone, "is that existing laws address its usage. If you misrepresent any of the information, it becomes a fraud or truth-in-advertising situation."
Levine, the co-chair of the IRTF's ASRG, is helping Schiavone codify the TEOS specification into yet another RFC -- a protocol layer that would sit on top of authenticating protocols like SPF, CallerID, and DomainKeys.
What chance, if any, do these specifications have of finding their way into the Internet?
Eric Allman, CTO at SendMail, is optimistic. SendMail has been testing DomainKeys and, according to Allman, is also working with CallerID. These activities bode well for the penetration of the specifications. According to Yahoo's Libby, SendMail's MTAs account for 60 percent of all MTAs on the Internet. Between support from AMY and the sort of penetration that SendMail could bring to bear, the authentication specifications in question could get a good head start. But a head start is one thing, penetration is another. As Allman pointed out, SendMail's support of a specification, and the penetration of that specification, are two entirely different issues. "The architecture of SendMail is such that support can be included in new versions as well as added to old installations," said Allman. "Whether or not users, especially existing ones, take advantage of the additional support is a separate question."
OK, so it may take a while. But it's a start, and both Yahoo and Microsoft deserve credit for doing the right thing to rid the Internet of its worst scourge. Let's hope they stay the course.
14%
7%
