But if the Microsoft chairman was betting on Sender ID to play a major role in achieving that goal, it looks like a losing bet.
The Microsoft-backed protocol to identify e-mail senders aims to stem spam and phishing by making it harder for senders to forge their addresses and by improving filtering. So far, though, there's been a lack of adoption by legitimate businesses. Instead, it's been proving popular with a group it's meant to deter -- spammers.
Confidence in e-mail is falling, as its abuse for online scams is growing. If legitimate businesses don't sign up for Sender ID or similar technologies, that trend could continue and undermine e-mail's usefulness.
"There is an identity crisis for e-mail right now," said Samantha McManus, a business strategy manager at Microsoft. "The e-mail infrastructure was built in a different era, when you actually knew who was sending you e-mail and you did not have to worry."
Phishing uses spam e-mail with a forged sender name and a link to a fraudulent Web site in an attempt to trick the victim into giving up sensitive personal information such as passwords. That fraud scheme and other cyberthreats are taking a toll on consumer confidence that will inhibit e-commerce growth in the United States by up to 3 percent in the next three years, Gartner predicted in June. In the same survey, the research firm found that more than 80 percent of online consumers in the United States distrust e-mails from individuals or consumers they don't know.
Basically, Sender ID checks whether an e-mail that claims to come from a certain Internet domain (such as "customerservice@anybank.com") really originates from the e-mail servers associated with that domain ("anybank.com"). The system uses the Domain Name System, or DNS, to make that determination. Sender Policy Framework (SPF), which merged with Microsoft's Caller ID for E-mail Technology to become Sender ID, also uses the same approach.
If adopted widely, an e-mail authentication technology like Sender ID could help people make sure that a message that claims to be from their bank actually was sent by the bank. Authentication alone does not stop junk and spoofed messages, but it can make spam filters more effective, by allowing filters to rate domains based on the e-mail that is sent, for example.
But the use of authentication technology requires a major change in the e-mail infrastructure. Any organisation that maintains an e-mail server -- that includes companies, schools, Internet service providers and others -- has to publish SPF or Sender ID records, or both, to identify their mail servers.
Sender ID isn't the only technology out to clean up e-mail by identifying the source. Here's a rundown of the pack.
Sender ID
Brings together two previous security technologies: Caller ID
for E-mail, introduced by Microsoft in February 2004, and SPF,
developed by Meng Wong. In early
stages of standards process at IETF, which had previously
dropped a working group on Sender ID.
SPF
Short for Sender Policy Framework. Technology merged into
Sender ID spec. Other versions exist, and is planned to be
integrated into other e-mail security technologies, such as
IBM's FairUCE.
DKIM
Merges Yahoo's
DomainKeys with Cisco's Internet Identified Mail. DKIM, or
DomainKeys Identified Mail, relies on public key cryptography.
It attaches a digital signature to outgoing e-mail so that
recipients can verify that the message comes from its claimed
source.
FairUCE
An IBM project that uses DNS, like SPF and Sender ID. A future
version will incorporate SPF or similar sender identification
systems.
That wide-ranging shake-up is just what the e-mail infrastructure needs, said Meng Wong, the chief technology officer for special projects at e-mail forwarding company POBox.com and a developer of the original SPF specification.
"E-mail is broken," he said. "We will need some shocks to the system to fix it. There is a certain tolerance for breaking things a bit more, as long as you get it fixed. Kind of like when somebody's shoulder is dislocated, you know it is going to hurt when you put it back, but at least it is temporary."
So far, Sender ID and related technologies have not delivered on their promise. There is a lack of adoption by legitimate e-mail senders. Spammers have adopted Sender ID and its predecessor SPF, but without adoption by a critical mass of legitimate e-mail senders, the technology will fail, experts said. With that failure, one shot at fixing e-mail could be lost.
What's involved?
Microsoft argues that publishing SPF or Sender ID records is simple for those organisations that want to do it. It usually does not require new hardware or software. The most arduous part is doing an inventory of mail servers and the subsequent maintenance of that record, said Samantha McManus, a business strategy manager at Microsoft.
Large organisations often have complex e-mail systems that are managed by many people in different geographic locations, according to Gartner. Also, parts of the company's e-mail or DNS infrastructure may be outsourced, making the task more complex. At the other end of the scale, many smaller companies don't have the expertise to publish information on their e-mail servers in their DNS record, Gartner said.
Also complicating matters are the multiple specifications that exist. There are several versions of SPF, and there is Sender ID, for example.
Those could be reasons why the technology hasn't proved too popular with businesses. Gartner analyst Lydia Leong doesn't expect companies to start picking it up anytime soon. "Adoption will be slow, and many enterprises will not publish records until 2007," she said.
About 1 million domains currently publish SPF records, Microsoft said. That's much fewer than the 71.4 million domains that had been registered worldwide by the end of last year.
There is evidence to suggest that quite a few of the technology's adopters are senders of junk e-mail. Out of a sample of more than 17.7 million e-mail messages taken in late June, a little more than 9 percent were from domains that published an SPF or Sender ID record, according to spam-filtering company MX Logic. About 84 percent of those authenticated messages were spam, it found.
"The majority of the adoption has been by rogue senders trying to get some legitimacy for their messages," said Scott Chasin, the chief technology officer at Denver-based MX Logic.
For spammers, publishing a valid record means they will pass that part of a spam check. Earlier this year, Microsoft said its Web-based e-mail service Hotmail would start flagging e-mail without valid authentication as potential spam.
"The spammers have more of a motivation to go and do it than most other people," said Forrester analyst Paul Stamp.
Critical mass
For Sender ID to get picked up more widely, the technology needs to become easier to adopt and provide a clear benefit to users, analysts and experts said. "If we don't reach critical mass on the authentication of legitimate senders, there are going to be dire consequences," said Dave Lewis, vice president of marketing at Redwood Shores, California-based StrongMail.
When will the industry press wake up and acknowledge that the solution to spam is not some elusive and unsolveable problem.
Sendio provides a Sender Address Verification (SAV) appliance that comes with a money back guarantee - Zero spam / Zero False positives or your money back.
We've never gotten a system back...ever...not one. Hmmm, it must work.
www.sendio.com