The Complete Guide to Email Authentication, Part 2

This is part 2 of an 8 part series on Email Authentication, to go to part one click here.

A Brief History of Email Authentication

Meng Weng Wong and Sender Policy Framework

The concept of email authentication – validating sender email either by IP address or encryption – dates back as far as 1997. Multiple specifications and proposals had been submitted to the Internet standards community for acceptance, including a set of six “designated sender” proposals called Lightweight MTA Authentication Protocol (LMAP). Sender Policy Framework was one of these proposals.

Sender Policy Framework (SPF) evolved when two LMAP proposals, “Reverse MX” (RMX) and “Designated Mailer Protocol” (DMP) were merged together by a serial entrepreneur named Meng Weng Wong. With much collaboration from the email and Internet industry, the specification was approved and in April 2006, the SPF RFC standard was published. Originally, SPF stood for “Sender Permitted From”, and was sometimes also called SMTP+SPF. However, in February 2004, the name “Sender Policy Framework” was finalized.

Microsoft and Sender ID Framework

At the same time that the LMAP proposals were being developed, Microsoft began working on its own proposal for authentication which they called “Caller ID for Email” – a standard similar to SPF, but with technical variations. That standard eventually morphed into “Sender ID Framework”, which is the standard used today.

While Sender ID also uses SPF to authenticate an incoming message, it does not use the same standard as the SPF created by Meng Weng Wong. As a result of this, the original standard became known as SPFv1 or SPF Classic. Conversely, Sender ID is also referred to as SPF2.0/PRA.

Because of the differences between Sender ID and SPF, including issues around intellectual property, Sender ID never gained acceptance by the Internet standards community. Nevertheless, Microsoft moved forward with the adoption and implementation of Sender ID. And today, any mail sent to Microsoft properties is verified using the Sender ID standard.

Yahoo and Cisco

With multiple authentication approaches in development across the Internet, Yahoo also submitted their contribution by creating a new standard that utilized cryptographic signatures to authenticate outbound messages. In partnership with Sendmail, Yahoo implemented this standard on their servers in November 2004. Within days of implementation, Earthlink began testing DomainKey verification process. Yahoo developed DomainKeys (and implemented on their own systems) in the hopes that it would create a broader adoption of the technology, and ultimately stem the rise of spam and phishing attacks through email.

At about the same time, Cisco also created a cryptographic email authentication standard called Identified Internet Mail (IIM). Very similar to DomainKeys, a cryptographic signature was embedded into the email message, however there were additional authorization metrics that were not part of the DomainKeys standard.

Eventually the two standards were merged, and in May 2007, the DomainKeys Identified Mail (DKIM) RFC standard was published.

>>Continue on to The Complete Guide to Email Authentication, Part 3