Email Authentication Schemes - Friends or Foes?

jtprice writes "At a time when spam levels have exceeded 80%, there's growing momentum behind Microsoft's email CallerID, the SPF effort, Yahoo!'s DomainKeys, and the IETF's new MARID Working Group initiatives to address various email abuse problems including spam, joe-jobbing, phishing, and so on. Sendmail has already implemented DomainKeys and CallerID. 10,000+ domains have turned on SPF now. Where the heck are we going with this? Are these efforts at cross purposes, confusing at best or likely to be consolidated? Seems to be less about the end of spam and more about the end of open, uniform, standards-based email as we know it. Apparently the people behind these initiatives are getting together for the first time for something called the Open Email Accountability Symposium next month, at the Inbox Email Conference in San Jose, with the intent of outlining their proposals and answering questions. Any thoughts about all of this, or hard questions that should be asked of these people? Is the email dilemma creating just another monopoly opportunity to force email into proprietary territory?"

Re:It still won't work

[jonesvery]

Most email currently goes through Apache . . . I think that the open sorce community has done a pretty good job of creating the email server of choice. I think that they're probably the right group to also make it more secure.

To clarify someone's "ummmmmm" comment -- this is some sort of weird troll, right?

The Apache Software Foundation does support a project known as James, a "pure Java SMTP and POP3 Mail server and NNTP News server, but ummmmm...well, not a whole lot of people use it.

Are you perhaps thinking of qmail or postfix?

SPF is Email Authentication

[jgardn]

SPF only authenticates mail as being approved mail from a domain. In itself, this only prevents joe jobbing and phishing, but domains can still send spam.

As SPF adoption grows, there will be two types of email: authenticated and unauthenticated. Authenticated mail will consist of both spam and legitimate mail. Unauthenticated mail will be just like the mail we are sending around today.

What does authenticated mail get us? As we can track mail down to the owners, we will begin to set up a trust system. DNS block lists will become viable. The owners of domain names can protect or abuse their domain names as they see fit.

Eventually, there will be a system where domain names will have value again. If I don't abuse my home domain, and only use it for legitimate purposes, people will not add my name to black lists. If my domain has sent a large number of emails with a very low score of spam, it will be more legitimate than one who has sent only a few emails or has sent mostly spam.

SPF is only the first step in stopping unsolicited email. Once it is in place, the next step -- accountability -- is easy to implement.

The beauty of SPF is that it doesn't invalidate email as it is now. Participation is optional. Those who are early adopters get an early boost, so the incentive is there to adopt it early on. But email as it is now will not be stopped.