The new plan resolves disputes with ISPs and the open-source software community about the use of patent-pending technology in Sender ID and should lead to broader adoption of the standard - at least according to Meng Weng Wong of Pobox.com, co-author of the revised proposal.
Sender ID is a technology standard that closes loopholes in the current system for sending and receiving e-mail that allow spammers to spoof a message's origin. The standard combines two earlier authentication standards: Caller ID, developed by Microsoft, and Sender Policy Framework (SPF), developed by Meng.
Organisations publish a list of their approved e-mail servers in the DNS and can verify the origin of e-mail messages by checking source information either in "mail-from," also known as the "envelope from" field, in the message envelope. Alternatively, an e-mail address in the message header known as the purported responsible address (PRA) can be checked.
Microsoft submitted a draft of Sender ID to an IETF working group in June for consideration but the process became bogged down over questions about patents that Microsoft said it had regarding algorithms used to check PRA addresses. It also came with licensing requirements that Microsoft wanted to place on organisations that deployed Sender ID.
Open-source advocates objected to Microsoft's requirement that anybody using Sender ID authenticate the PRA address, not just the mail-from address used in SPF checks, Meng said.
The dispute produced some high-profile defections from the proposed specification, including the Apache Software Foundation and the Debian Project. Then AOL, an early SPF supporter, also said it would not fully implement Sender ID after the IETF rejected the proposal, because it was not compatible with early forms of SPF.
The new version of the standard addresses those concerns by allowing organisations to do either SPF checks on the mail-from address, or the fuller PRA checks, Meng said.
AOL has said it will support the revised Sender ID specification because it did not require the 100,000 domains that have published SPF records to change their DNS listings. "This saves AOL and many others a great deal of time, resources and development work," the company said.
Microsoft expects the specification to be given "experimental" status by the IETF, but does not know if it will be taken up for formal approval by the group. Regardless, the software giant will rally support for the spec among leading ISPs. Mail bound for Microsoft's Hotmail Web-based e-mail service will be checked for valid PRA addresses by the end of 2004. Messages that fail the PRA check will be submitted to additional filtering using Microsoft's SmartFilter technology, the company said.
Despite the changes, the new specification still might not satisfy open-source software advocates, who remain concerned about Microsoft's patent claims and its ultimate plans for Sender ID and the larger problem of proliferating IP patents in the technology sector, Meng said.
A Microsoft spokesman said that the proposed Sender ID licence satisfied groups such as the World Wide Web Consortium and the American National Standards Institute (ANSI), and that was enough for Microsoft - even if groups such as the Free Software Foundation continue to oppose Sender ID.
Microsoft also took pains to clarify language in one of its Sender ID patent claims that some critics interpreted as encompassing SPF mail-from checks, in addition to PRA checks, Sundwall said. An "experimental RFC" (Request for Comment) version of the Sender ID specification should be published by IETF by the end of the year, Meng said, but he doesn't expect it to end up for consideration by a working group again.
The anti-spam working group was disbanded late last month.