Hotmail Beefs Up Sender ID with Alert Notices

E-mail provider MSN Hotmail put some muscle behind anti-spam protocol Sender ID today with the launch of a new tool that will notify users when an e-mail message’s sender can’t be verified.

The move is expected to motivate mailers and Internet Service Providers to publish their Sender Policy Framework (SPF) records, which basically list and provide addresses for the computers that send e-mail on behalf of their domains. MSN Hotmail will then check incoming mail from those domains against the records to authenticate the senders and guard against domain "spoofing" by spammers.

If the e-mail fails this authentication test, Hotmail will choose one of three handling options, depending on the sender’s reputation and other anti-spam filtering metrics. The e-mail may be blocked, or placed directly into the recipient’s junk mail folder. But if Hotmail opts to let the message pass through despite improper documentation, users will see a yellow alert notice at the top of the e-mail stating: "The sender of this message could not be verified by Sender ID", together with a link to give them more information about Sender ID authentication.

The new Hotmail alert policy will only be applied to mailers who have published their SPF records, which Microsoft estimates to be about 1 million Web domains, up from 60,000 in October 2004. For now, mailers who have no published SPF record will not be subject to the authentication test; but industry observers expect that by the end of 2005, Microsoft will extend both the tests and the warning to those domains that have not published their SPF records.

The Hotmail move to adopt Sender ID authentication had been anticipated for a while, although its timing was uncertain. The protocol, which was developed in-house by Microsoft, was incorporated into Hotmail’s system in January, and the company claims it now blocks 3.2 million illegitimate e-mail messages a day.

Only about 12% of domains worldwide have published SPF records, representing about 25% of the daily e-mail traffic into Hotmail’s system, Microsoft director of technology, care and safety Craig Spiezle told a conference in April. But adding the visual alert to the Hotmail user interface should serve as strong incentive to e-mail senders to publish their SPF records to enable authentication. Both e-mail service providers and self-marketers will most likely be unwilling to risk endangering their ability to deliver messages safely to Hotmail’s 200 million global customers.

"It’s a sign that e-mail authentication is moving forward," said Jordan Cohen, director of ISP and government relations for e-mail service provider Bigfoot Interactive. "While much remains to be done in terms of getting senders to authenticate their messages, this is an indication that Microsoft thinks there are enough domains out there now doing so that it’s worthwhile to take this step." If Microsoft follows through on plans to roll the Sender ID Framework into its Outlook product later this year, "that will be a pretty significant portion of most consumer marketing lists," he said.

"Compliance with authentication programs is a necessary step to protect both corporate brands and consumer confidence," said Jerry Cerasale, Direct Marketing Association senior vice president for government relations in a release. He said the DMA encourages its member companies to adopt authentication "as quickly as possible."

Cohen added that Bigfoot was recommending that its clients also check to make sure their published SPF records are accurate and up to date, since faulty records may also trigger a Hotmail alert. Those inaccuracies could arise if senders have changed e-mail providers since publishing their records, adopted a new domain name or added new infrastructure—and thus new IP addresses—from which to send e-mail.

"Folks who published their records early and have since let them sit there static are going to run into trouble," he said. "It’s crucial for marketers and their IT departments to be on the same page in not making this [SPF record publication] a one-time effort. They need to be constantly thinking about it and monitoring it periodically for accuracy."