Thursday, September 07, 2006

Getting email through: SenderID, DomainKeys and SPF

I've been trying to see how I can stop Google from tagging my email as spam. Only Google, which has the worst spam filtering in the industry, has this problem. I've been looking into what's available in terms of sender authentication. Alas, things are not in great shape. There are 3 options currently:
  • DomainKeys: "cryptographically proves that the mail did in fact originate at the purported domain, and has not been tampered with in transit." Supported by Yahoo, Google, and, I think, Earthlink.

  • Sender Policy Framework SPF: Wikipedia - "SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path)". Spammers, however, were early adopters of SPF. SPF has been championed by AOL.

  • SenderID: was a combination of SPF and "Caller ID". Unfortunately Microsoft has the relevant patents and they chose to use those patents to attack open source software. The result was the rejection of SenderID. (SenderID also uses SPF, so it's "SPF + Caller ID")
SPF has an open source implementation, but it's not encouraging that it was widely adopted by spammers. Also, AOL is not a great champion. SPF isn't enough by itself to bother with.

SenderID has the advantage of Microsoft's support, but the Wikipedia article makes it sound awful on several levels.

That leaves DomainKeys, which has been adopted by Google and Yahoo. Yahoo owns the key patent, but they produced an open source type license.

I have two ISPs: VISI and Lunarpages. VISI doesn't do support any form of email authentication (they promised to put my request on the list), but Lunarpages supports SPF -- unfortunately SPF doesn't seem to amount to much.

I get the sense that first rank ISPs will support DomainKeys, and that corporate pressures may force support of SenderID too -- no matter how ugly it is. In the meantime, I'll just encourage my ISPs to look at DomainKeys more seriously.

No comments: