AOL has decided not to fully support Microsoft's Sender ID spam-fighting plan after the Internet Engineering Task Force (IETF) and open- source community expressed intellectual property concerns.
"AOL will not now be moving forward with full deployment of the Sender ID protocol," spokesman Nicholas Graham said, the company will support only the sender policy framework (SPF) to fight spam by verifying the source of email sent to its users, he said.
AOL's rejection comes a week after an IETF group considering Sender ID as a standard said the proposal needed rewriting. Earlier this month, open-source groups the Apache Software Foundation and the Debian Project dismissed Sender ID because the license would prevent them from supporting the technology.
AOL is concerned about the lack of acceptance for Sender ID in the open-source community, Graham said. Additionally, the ISP is afraid that recent changes to Sender ID will make it incompatible with the original SPF specification, he said. AOL had endorsed Sender ID when it was submitted to the IETF in June.
While AOL's decision could be seen as another setback for Sender ID, Microsoft said AOL's action is fully in line with the Sender ID proposal, which is being revised.
AOL's lack of support is support - Microsoft
Support for SPF essentially equals support for Sender ID, said Microsoft spokesman Sean Sundwall. "AOL's decision to conduct just the SPF check reflects exactly the flexibility provided by the Sender ID proposal. Sender ID is still alive and there are two ways to do the checking," he said.
Sender ID combines SPF with the Microsoft-developed Caller ID specification. The Sender ID proposal to the IETF is being rewritten to allow flexibility on which checking method is used, either the SPF method or a check for the Purported Responsible Address, which was first published as part of Microsoft's original Caller ID plan, Sundwall said. "AOL's news is much ado about nothing," he said.
Standard Microsoft standard
Sender ID is a proposed standard for email authentication, designed to prevent faking of email addresses and the origin of an email message. Criminals have used the ability to forge the origin of an email to engage in 'phishing' scams.
With SPF, organizations publish a list of their approved outgoing email servers, called an SPF record, in the DNS (Domain Name System). That SPF record is then used to verify the source of email messages sent to other Internet domains. Microsoft's Caller ID works in a similar way.
AOL is not completely backing out of Sender ID. While it won't check Sender ID records on mail coming in, it will publish Sender ID records for outbound mail, Graham said.
AOL said it is also looking at Domain Keys, a technology developed by Yahoo, for possible use in tandem with SPF. With Domain Keys each email gets a digital signature to verify its source.