I was quoted in today’s CNet article about Microsoft’s deployment of Sender ID.
I’ve been working on email authentication issues for many years, including helping to develop a technology that Microsoft was once a beta-tester of. That technology, called Trusted Sender, turned out to be tremendously effective, which must be why Microsoft torpedoed it in favor or their lame “Caller ID for Email” scheme, which morphed into Sender ID.
Lest you think my complaints are just sour grapes, I’ll just say this. I’m not the only one who thinks Sender ID is a bad idea, and that Microsoft’s tactics in this space have been counter productive. I also note that we revoked the patent applications on our Trusted Sender technology and publicly released the standard for anyone to use.
Parenthetically, Sender ID has largely been pushed by the Exchange team at Microsoft, a group of well-meaning engineers who have, unfortunately, designed one of the most dysfunctional email infrastructure technologies to ever be foisted on the world. Not only is Exchange a resource pig, but it is designed to thumb its nose at many critical email standards. For example, it commits a cardinal sin: it rearranges and occasionally even rewrites email headers. For those who aren’t steeped in email technology, just understand that fiddling with headers is like randomly changing numbers on your tax return… there’s just no telling how it’ll screw things up.
But the larger issue is that during the course of my many years of work on email authentication issues, I have constantly watched Microsoft attempt to bully and coerce the world into adopting its myopic view of email authentication. Microsoft started out its involvement in the authentication space by attempting to organize a consortium of companies that would collaborate on a common standard, but Microsoft insisted that the standard be patented and owned by the collaborating companies.
This would have assured that they, as the only real enterprise software company in their hand-selected consortium, would have had the corner on the market. Seeing through the ruse, few of the participants wanted anything to do with Microsoft’s vision of how to control email. So Microsoft was on its own.
In considering which of the various authentication schemes Microsoft could actually support, they seem to have decided to crib from Meng Wong’s “Sender Policy Framework” (SPF), only they instead chose to make it even more cumbersome and obtuse. At one point SPF and Microsoft’s original “Caller ID” proposal were merged into what became known as Sender ID. Unfortunately SPF has its own problems, most of which are unhelped, and in some cases exacerbated, by the combination with Caller ID.
The current morass that is the email authentication debate is too long and convoluted to detail here. Suffice to say, the world still isn’t very close to a workable standard. My gut reaction to the Microsoft move is that they’ll make this big announcement, find out that tons of legitimate email is getting marked as spam, and have to make drastic modifications to the plan. Of course they’ll never admit that it was a mess, claim it’s all working beautifully despite any evidence that they realized their screw up, and continue to obstruct real progress in the space.