Around 2002 I "thought" I had a pretty good idea which was to use domain level authentication between email servers. This was a lot easier than implementing end-to-end authentication because you only needed digital certificates for the email servers. I submitted it to the anti-spam community and it was shot down pretty hard by the anti-spam community because there was no agreement on how to handle this.
A year later SPF (sender policy framework) hit and Microsoft produced their own solution and merged with SPF for SenderID which they just recently released as a will-no-sue open standard. SenderID only used DNS to designate official outbound mail servers so that the ?from? address along with the email headers cannot be spoofed. The problem with SenderID is that it breaks 3rd party SMTP relaying and there was and still is a lot of opposition to it.
Around the same time in 2003 Yahoo came out with Domain Keys which was very similar to my idea a year earlier only Yahoo's idea solved the problem of having to buy digital certificates for the SMTP mail servers. Domain Keys uses DNS to publish the name and public key certificates so you didn't have to pay Verisign hundreds of dollars to get a certificate. I really liked Domain Keys and still do, but the email community opposes it and it still can't get traction.
The whole problem with enforcing email domain authentication is that it requires the whole world to use it or it won't work. So long as any significant number of legitimate email servers won't support it, you have to allow inbound unauthenticated servers or risk bouncing too many emails. So long as that remains the case, spammers will simply come in as unauthenticated.
But let?s say we can get the whole world to agree to use authentication. The problem there is that spammers will just switch domain names every day or every hour if they have to avoid blacklisted domain names. That certainly would make spammer?s lives much more difficult because they can only spam with a domain once before the entire world is notified. But if you?ve ever spent any time in the anti-spam mailing lists and forums where the experts hang out, you?ll understand that there is no agreement on how to handle this and there is still a lot of opposition to mandated domain authentication.
There is also the idea of bonded senders where a domain would put up some money and risk losing it if they send any spam. The problem with this is how you would even enforce this. If someone gets an AOL or Yahoo account and spams from it, would you punish the entire domain? Ok so we track each domain to see how responsible they are but who and how would we do this accurately? Do we get the government to track these statistics?
On the issue of Government, there is a little problem freedom if we ban all forms of anonymous emails. Imagine Governments like Russia or China could see the identity of the sender of every single email by looking at the digital certificate of the domain it was from. How would that go over with Amnesty International? I?m not saying these problems can?t be solved; just that it is VERY difficult to solve. I was na?ve three years ago thinking this was an easy problem to solve. I still think it?s solvable by using some form of sender authentication like Yahoo Domain Keys which provides authentication and non-repudiation IF we can ever satisfy the privacy advocates and IF we can work out all the implementation devils.
Anyways, great question. I?ll probably have to clean this up and post it as a blog.
