"The underlying system is very porous. It was designed to deliver mail, not to approve anything," Levine said.
The IETF, which develops the technical standards that run the Internet, will publish initial recommendations on e-mail authentication in August. The FTC, meanwhile, plans to address the issue this fall.
Although the major players agree on the need for authentication, they differ on how to do it.
Under the first approach, domain name owners (like washingtonpost.com or amazon.com) would keep a public record of what IP numbers they use to send e-mail. Recipients' e-mail servers would be able to check those records to know that the number came from a source that was not falsifying – or "spoofing" – the "from" line in the message.
"You can't guarantee it's not spam, but you can guarantee it's not spoofed," said Microsoft Corp. spokesman Sean Sundwall. "And at [e-mail service] Hotmail about 50 percent of the spam we're receiving is spoofed."
Yahoo recommends placing a digital "signature" on each outgoing message that recipients' e-mail providers could unlock with "keys."
Advocates of this approach agree that the technology is more complex, but it provides a more reliable way to identify senders.
"A lot folks liken e-mail to sending a postcard. Domain keys require you to always wrap that message up in an envelope," said Ray Everett-Church, chief privacy officer of Paoli, Pa.-based ePrivacy Group, a company that is developing a key authentication proposal.
The advantage of the signatures is they can travel with a message wherever it goes, whereas the system that Microsoft favors can break down when a sender tries to use a Web-based e-mail account from different computers, Everett-Church said.
Officials from Microsoft and Yahoo said that each method could be used together. Neither would require individual e-mail users to change their online habits.