Microsoft to enforce Sender ID checks

Microsoft will soon put some bite into its Sender ID antispam plans by checking e-mail messages sent to its Hotmail, MSN and mail accounts to see if they come from valid e-mail servers, as identified by the Sender ID, according to a company executive.

The company is strongly urging e-mail providers and Internet service providers (ISPs) to publish Sender Policy Framework (SPF) records that identify their e-mail servers in the domain name system (DNS) by mid-September. Microsoft will begin matching the source of inbound e-mail to the Internet Protocol (IP) addresses of e-mail servers listed in that sending domain's SPF record by Oct. 1. Messages that fail the check will not be rejected, but will be further scrutinized and filtered, said Craig Spiezle, director of Microsoft's Safety Technology and Strategy Group.

Spiezle announced the company's plans while speaking to a group of antispam luminaries on Thursday at The Open Group Conference in Boston.

Sender ID is a proposed technology standard, backed by Microsoft, for verifying an e-mail message's source. It combines two previous standards: the Microsoft-developed "Caller ID," and the Meng Weng Wong-developed SPF. The proposed standard was submitted to the Internet Engineering Task Force (IETF) in June for consideration. If adopted, Sender ID could provide a way to close loopholes in the current system for sending and receiving e-mail that allow senders -- including spammers -- to fake, or "spoof," their message's origin.

Microsoft Chairman and Chief Software Architect Bill Gates unveiled Caller ID in March. The proposed standard asks e-mail senders to publish the IP address of their outgoing e-mail servers. E-mail servers and clients that receive messages from Caller ID domains could check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that didn't match the source address could be discarded or quarantined.

DNS is the system that translates numeric IP addresses into readable Internet domain names.

SPF also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only checks for spoofing at the message transport or "envelope" level, verifying the "bounce back" address for an e-mail, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

Under the merger proposal, organizations sending e-mail will publish SPF records identifying outgoing e-mail servers in DNS. Companies will be able to check for spoofing at the envelope level, as proposed by SPF, and in the message body, as proposed by Microsoft.

Tens of thousands of SPF records have already been published in DNS by companies and Internet service providers such as Microsoft and America Online. However, few companies have taken the added step of using information from the published SPF records to confirm the "purported responsible address," or PRA that the e-mail message claims as its source.

A failed PRA check will be a "factor" that Microsoft's SmartFilter technology will use to determine whether a given message is spam, according to George Webb, business manager for the Antispam Technology & Strategy group at Microsoft. The extra filtering will be akin to extra security screening at an airport, slowing unauthenticated messages down, compared with messages with confirmed PRAs.

"We're at a point where we think it's clear people should be publishing SPF records," Webb said.

As one of the largest e-mail providers, Microsoft's decision to enforce SPF record checking will ripple throughout the Internet. However, administrators at e-mail provider and ISPs ultimately decide whether to validate incoming messages' PRAs, and what to do with messages that fail the check, according to Webb. Mail Transfer Agent (MTA) vendors, which make e-mail servers, must also design their products to act on the Sender ID authentication information, he said.

Microsoft is reaching out to major ISPs through the Global Infrastructure Alliance for Internet Safety, an international ISP working group, informing them of its plans and encouraging them to publish SPF records. The company is also working with leading MTA makers, including Sendmail and IBM, Webb said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?