The Microsoft-backed Sender ID scheme for email is gaining traction with key software developers, and could eventually check the rising tide of spam. However, experts warned that Sender ID would only be effective as part of a multi-tiered anti-spam defence.

Open-source email giant Sendmail last week released a Sender ID module for its server software and hailed it as a major step forward. "It changes the entire email paradigm by allowing the end-user to control the message experience," said Dave Anderson, Sendmail's chief executive. "If we don't fix [spam], fraud will be so bad that a lot of people will stop using email entirely."

Messaging security appliance developer CipherTrust said last week that it will support the Sender ID Framework in the next service release of its IronMail appliance, scheduled for October. The company's chief technology officer, Paul Judge, said that email authentication "will greatly mitigate the threat of phish- ing and spoofing".

However, firms might have to wait a long time for Sender ID to reduce the total amount of spam in circulation. CipherTrust recently warned that the Sender Policy Framework (SPF), part of Sender ID, was having little effect on spam levels, and said that 34 percent of SPF-registered mails were spam.

Companies and domain holders using SPF register their sending mail servers in DNS, meaning that SMTP servers at the other end can verify senders' addresses. Any message without an SPF register could be considered as spam.

However, this assumption is a dangerous one, according to Dean Drako, president of Barracuda Networks. "There are millions of email servers but in comparison only a handful of SPF records," he said. "What do you do if you get an email without a record? Do you delete it? It could be from a customer. You cannot use these techniques to block incoming email for a corporation."

He added that SPF and Sender ID could improve matters, but only in the long term. "It'll be years before everyone has a record."

Barracuda and CipherTrust both agreed that the main benefit of email authentication technology was the ability to tell whether an address was real or had been spoofed. Dimitri Alperovitch, R&D engineer at CipherTrust, said, "Our opinion is that SPF is a good tool, but only when used in conjunction with other tools. Firms with a multi-pronged defence will be the ones in a good position."

For the latest news for IT professionals, visit ITWeek.co.uk