Skip navigation

Sender ID Hits Roadblock

Sender ID--a specification created to counter email domain spoofing--is in the spotlight once again, this time due to licensing issues. Microsoft has said that it won't require anyone to sign a license agreement to implement Sender ID. The company has also said that end users and companies that distribute a licensed, branded implementation of Sender ID won't need to sign a license agreement and that there will never be a royalty fee for licensing. In short, the company appears to want to maintain complete control over the technology but not charge people to use it.

Some open source advocates don't like the licensing structure, alleging that it might require competitors to inform Microsoft of their intended use of the technology and that it might place undue restrictions on those who do implement the technology. For example, end users might receive limited rights to the software under Microsoft's license, whereas mainstream open source licenses pass on full rights to end users.

At least one company, Sendmail, has stated that it will release a Sender ID Message Transfer Agent (MTA) without signing any license agreement with Microsoft. Another major developer, Apache Software Foundation (ASF), has stated that it won't implement Sender ID due to the licensing format.

In a position statement posted on its Web site, ASF states, "The licenses are said to be 'personal' (though a reciprocally granted license is not required to be), which prevent\[s\] assignment to an acquiring party, so open source projects may not be able to transfer a license to new maintainers or organizations."

ASF also says, "The scope of the patent license is limited to compliant implementations. This is incompatible with the broad grant of open source licenses to create any derivative work whatsoever. In addition, as Internet software is often non-compliant for many possible different reasons, this would restrict the use of Sender ID unacceptably." As you might already know, ASF is the maker of the hugely popular SpamAssassin email filter software, as well as the Java Apache Mail Enterprise Server (James). So ASF's choosing not to implement Sender ID would have a significant impact on Internet-wide compatibility. For more information about Sender ID, see "The Sender Policy Framework and Caller ID for Email, " Exchange and Outlook UPDATE, March 11, 2004 (at the first URL below) and "Three Proposed Ways to Stem the Email Influx," Security UPDATE, March 3, 2004 (at the second URL below). You can read a lot of opinion and debate on Sender ID on the Internet Engineering Task Force (IETF) ietf-mxcomp mailing list, which is hosted by the Internet Mail Consortium (at the third URL below).

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.