Microsoft and AOL Fight Spam, Validate E-Mail

by Steve Yates

The ITS Connection Online Newsletter

Microsoft and AOL both recently announced their intention to implement new anti-spam initiatives within the next few months at their online services HotMail, MSN, and America On-Line. Both have embraced the proposed "SPF" standard for validating incoming e-mail. Microsoft has incorporated SPF into its proposed "Caller ID" standard, resulting in the newer “Sender ID” proposal. Why? Since a significant amount of spam and "phishing" e-mail uses forged "from" addresses, SPF is seen as a quick way to flag such messages yet allow valid e-mails to pass into the system. SPF also appears to be easier to implement than other suggested solutions.

The way SPF works is to use the existing Internet DNS system to tell the world that, for instance, mail arriving "from" teamITS.com is valid only if it arrives from one out of a list of four servers. Any mail arriving from a server not on the “valid” list is considered suspect and probably forged.

The down side? Owners of each domain name will have to come up with a list of valid servers. Since some organizations send mail through an internal mail server, or have remote users send through their dial-up ISP's mail server, that is harder than it might sound. Plus, e-mail hosting providers are faced with the task of updating and maintaining SPF records for anywhere from dozens to thousands of domains.

AOL says it intends to use SPF to help maintain its e-mail "whitelist" of valid mail servers. Microsoft says it will initially use Sender ID to filter out non-compliant messages for further anti-spam processing. Overall, setting up SPF for your domain should help prevent others from using your domain name to send spam or other forged e-mails, so we think it is a good idea, and intend to set up SPF for all domains hosted with ITS Web Hosting.

Update - October 2004

Sadly Sender ID as a unified standard was dealt a blow in recent weeks as several large open source providers such as the Apache group (sponsors of the Apache web server) said that Microsoft's desire to retain intellectual property rights would prevent them from implementing Sender ID. SPF, however, is rolling forward.

Update - July 2005

After several modifications to the standard, SPF is finally gaining traction and nearing RFC status. Accordingly ITS is ready to implement SPF for any domain hosted by us that wants to set it up.

August 2004

Send this article to a friend!
Subscribe to The ITS Connection

Related articles