Email Authentication Update

Things have come a long way since I first heard about various "Reverse MX" SMTP authentication schemes a little over a year ago. The various efforts have coalesced in to something called Sender Policy Framework or SPF.

Even Microsoft has agreed to merge its similar Caller ID effort in to a future version of SPF. I wouldn't be surprised if all of the major email senders are doing SPF a year from now.

The Yahoo! DomainKeys is the other interesting area of email authentication. While SPF works to authenticate the domain of the SMTP envelope sender (think, "mail server") DomainKeys uses cryptography to protect the From: header along with the contents of the message. Both techniques are useful; SPF is easier to roll out quickly while DomainKeys offers stronger authentication. They each have a different set of failure modes and ancillary features.

All of this is good news for Qurb. The weakness of any whitelist based anti-spam approach is that spammers can pretend to be someone they are not, such as order-confirmations@amazon.com, to sneak past the whitelist. Authenticated email plugs this hole.