Who will win the email authentication war?
There have already been a couple casualties in the battle for email authentication. Habeas and Goodmail Systems both appear to be abandoning their proprietary authentication schemes. While many may not be familiar with those two names, the titans remaining and their allies are waging a sort of World Internet War.Taking sides
On one side is Microsoft's SenderID. Its chief ally is AOL who re-announced support for SenderID late last year. Actively opposing SenderID are members of the open source community (Apache, Debian, Postfix, Exim, and others).
An alternative is Yahoo and Cisco's Domain Keys Identified Mail (DKIM). A chief ally is Earthlink who dropped support for SenderID this month. DKIM is technically stronger but is harder to implement.
The equivalent of Geneva Switzerland would be Google which continues to support both solutions in GMail -- sometimes you almost forget they're compatible.Good versus Evil
On the political side, Microsoft has made it clear that they prefer SenderID to fail versus giving up intellectual property rights for PRA. PRA is an algorithm which allows SenderID to authenticate forwarded mail, a major weakness of the original SPF solution. Microsoft has said publicly that they don't believe their license to be incompatible with GPL or other open source licenses but many in the open source community disagree. If Microsoft ever chose to assert their rights, it could be a disaster to open source if the internet became dependent on a Microsoft proprietary technology. Given Microsoft's view of open source as a threat and given Microsoft's predatory history, people don't trust them.Microsoft aggressive
Microsoft recently launched an aggressive strategy akin to forcing SenderID down everyone's throat when they announced a November deadline for publishing SenderID records before Hotmail would start putting warning labels on unauthenticated mail. It reminds me of their strategy with Passport where everyone with XP was almost forced to create an account -- Passport eventually failed though.
It's safe to say that most domains won't make the deadline. Many ISP's used by smaller companies don't support adding the required DNS entry. In addition, Bank of America citied a six month implementation time for SPF because the process of collecting outbound email IP addresses is time consuming. It will be interesting to see the Hotmail users' confusion when a significant percentage of their email contains warning messages of authentication failure.Much worse
will be will be Hotmail's presentation of authenticated cousin-domain phishing attacks. Starting in November, fraudulent domains such as citibank-audit.com which implement SenderID may appear to be more legitimate to untrained users. It's an early adopter's dream ... if you're a crook.Yahoo passive
In sharp contrast is Yahoo and Cisco's relatively passive campaign for DKIM. For example, it would be great if Yahoo were creating DKIM plug-ins for all the major mail servers and publishing them on SourceForge.net. However, the reality is that a business signing up to host their domain with Yahoo can't even get DKIM signed email ... they don't support it!!! Yahoo is showing signs of being a big company when they can't coordinate something like that.Picking a loser
Iconix works with both authentication solutions so we're not dependent on one side winning. Indeed, we encourage our senders to adopt both solutions so that sender identity can be displayed in both Yahoo Mail and Hotmail. However, since neither side is likely to win widespread adoption in the near future, phishing attacks will only continue grow to and the loser will be the unsuspecting consumer.