Frequently Asked Questions - Security
Q: Why are you putting Sender ID under the Open Specification Promise (OSP)? [+]
A: We think we can promote further industry interoperability among all commercial software solutions that utilize email authentication, including open source solutions by making Sender ID more clearly available to the entire internet ecosystem including customers, partners, ISPs, registrars and the developer community. This approach complements the Microsoft broader commitment to combat the spread of spam, phishing, malware and other exploits in email, as well as interoperability, which we achieve in part through enabling access to our technology.
Q: Are you making Sender ID available under the OSP because you received so much criticism for your original licensing approach to the spec? [+]
A: We recognize that there are lingering questions from some members of the development community about Microsoft licensing terms and how those terms may affect developers’ ability to implement Sender ID. It is important to note that great progress has already been made on email authentication worldwide with more than 5 million domain holders adopting Sender ID as a best practice. Sender ID helps protect brands, reduce spam, and counter email exploits. The OSP is a simple, clear way to reassure a broad audience of developers and customers that any Microsoft patents ever needed to implement all or part of the specification could be used for free, easily, now and forever.
Q: What’s the significance of the OSP for Sender ID? [+]
A: By extending the OSP to the Sender ID format, Microsoft will help the industry combat email spoofing and phishing by fostering greater interoperability among all commercial software solutions for email authentication, including open source-based solutions. Implementers of the Sender ID Framework will not need to be concerned about signing a license in order to implement the anti-spoofing and anti-phishing technology. This approach also complements the Microsoft broader commitment to interoperability, which we achieve in part through enabling access to our technology.
• Microsoft is committed to working with the IT industry and businesses to help protect consumers and businesses from the blight of online threats. The Sender ID Framework is an email authentication specification that helps address domain spoofing – a common tactic used for the spread of spam, phishing, malware and other exploits in email – by verifying the domain name from which an email is sent.
• After more than two years of worldwide deployment to over 600 million users, Sender ID already enjoys broad industry support, with approximately 36% of all legitimate email sent worldwide Sender ID compliant and an estimated 5.5 million domains worldwide protected by Sender ID. Adoption of the Fortune 500 has increased from 7% a year ago to over 23% in year two.
• Email authentication and the ability of validating the identity has become critical in the face of the increase sophistication and online threats being propagated. With Sender ID senders and receiving networks are afforded an additional layer of safety and security from these exploits.
• Sender ID provides significant business value at no cost and impact to performance. Today business throughout the world are realizing enhanced brand and user protection while realizing improved deliverability of legitimate email. With the addition of Sender ID and the sender’s reputation, false positive are able to be reduced to nearly zero while false negatives being reduced by over 80%.
Q: Where can I download the Sender ID specifications? [+]
RFC 4406 - Sender ID: Authenticating E-Mail
RFC 4408 - Sender Policy Framework: Authorizing Use of Domains in “Mail From”
RFC 4407 - Purported Responsible Address in E-Mail Messages
RFC 4405 - SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message