Home / Blogs

News from the Authentication Summit in NYC

By Bill Nussey CEO & Auhtor

At The Email Authentication Implementation Summit in New York City last week, several major ISPs surprised attendees with their announcement that they are jointly backing a single authentication standard.

Yahoo!, Cisco, EarthLink, AOL, and Microsoft got together and announced they are submitting a new authentication solution, DomainKeys Identified Mail to the Internet Engineering Task Force for approval as a standard. This is big news. To date, these groups have been at odds over authentication, with each promoting their own authentication techniques. While it is likely that each will continue to support its own standard for now (Microsoft with Sender ID, AOL with SPF and Yahoo! with the original DomainKeys), we can expect that they all will begin to use this common standard over the coming years if it is adopted by the IETF.

DomainKeys Identified Mail differs from the original DomainKeys and other proposed authentication standards in that, it not only certifies the origin of a message, it certifies that the content has not been altered in transit. This eliminates the possibility that a message could be intercepted and have its contents changed, yet still be authenticated as having come from the company claiming to have sent the message.

At the conference, Microsoft also urged the ESPs to have Sender ID fully implemented by the holiday season if at all possible. Since proper implementation will in most cases require coordinating with clients’ IT departments, a four-to-five month turnaround may be optimistic.

Overall, the existence of this conference is a great sign for the future of email and email marketing. The fact that so many diverse attendees were converging on a common vision is even more exciting.

By Bill Nussey, CEO & Auhtor

Filed Under

Comments

Suresh Ramasubramanian  –  Jul 22, 2005 2:08 AM

In the interests of setting several records straight, and making a few points clearer.

“AOL’s spf” is just plain wrong. SPF is by meng weng wong of pobox.com (http://spf.pobox.com). The most that AOL has done is to use it in a way that is way out of spec for what it is designed for .. tells large sites who ask it for a whitelist to consider publishing spf records, to automate the updation / maintenance of their whitelist (so if they add or remove netblocks for their sending of email, the changes can be picked up from the spf record).  Even that is not necessary - all people have to do if they dont want spf is to open a ticket with aol’s postmaster staff if they want their whitelist updated.

Domainkeys and Cisco’s IIM merged as they were fairly similar and reasonably complementary proposals - with the added advantage that the considerable experience that Cisco distinguished engineers like Jim Fenton (the author of IIM) has with IETF operations is brought to bear in polishing the joint spec.

A balanced set of use cases of spf and sender id, that also documents the potential gotchas and pitfalls that exist (and show themselves quite often particularly when people publish restrictive -all spf records, and even more when sites treat spf failures as a blanket reason to immediately reject email) - http://www.maawg.org/about/whitepapers/spf_sendID/

More on the blind use of spf here - something I wrote a few months back on circleid. http://www.circleid.com/article/1039_0_1_0_C/

The email authentication summit did not go beyond fairly general issues, and can be treated as a general introduction / update to the authentication issue for people who have not been following it very closely.

You may want to attend MAAWG and IETF meetings - that is where you will see a clearer picture.

# 1 Reply  |  Link  |  Report Problems
Miles  –  Jul 22, 2005 9:28 PM

“DomainKeys Identified Mail differs from the original DomainKeys and other proposed authentication standards in that, it not only certifies the origin of a message, it certifies that the content has not been altered in transit.”

Not true.  To make it true:

DomainKeys Identified Mail differs from and the original DomainKeys differ from other proposed authentication standards in that, they not only certifies the origin of a message, they certify that the content have not been altered in transit.

# 2 Reply  |  Link  |  Report Problems

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

View All Topics