SPF Council member Julian Mehnle last week wrote to the Internet Engineering Steering Group, the IETF’s overseer, to formally request that SIDF’s designation as an experimental protocol be revoked.
SIDF and SPF, which stands for Sender Policy Framework, both propose ways to more accurately identify the senders of email, which could be a useful tool to mitigate spam, phishing and other email attacks.
Both protocols, which function in roughly similar ways, were given the IETF’s blessing as experimental back in June. But now Mr Mehnle says SIDF’s approval should be reconsidered, because it conflicts in a significant aspect with SPF.
If the IESG were to revoke SIDF’s experimental designation, or compel Microsoft to make the changes that the SPF Council wants, it would put a significant dent in Microsoft’s marketing of SIDF, a core piece of its anti-spam strategy.
SPF and SIDF both attempt to reduce spoofing by requiring email senders to publish the addresses of their authorized email servers in their domain name system records, so recipients can check whether email comes from where it purports to.
The two specs check incoming email in different ways, and expect different records to be published in the sender’s DNS. SPF supports SPF v1, while SIDF supports SPF v1, SPF v2 and a Microsoft spec called purported responsible address or PRA.
The SPF community has long complained that SIDF’s support for SPF v1 could create false positives when email recipients are using SIDF checks but the sender had published SPF v1 records thinking recipients would be using SPF checks, not PRA.
Content from our partners
Mr Mehnle said this would not only produce non-trivial amounts of false results, but also distort the results of any intended experiments and suggests Microsoft changes SIDF so that SPF v1 is only used with SPF checks, not PRA checks.
The SPF’s reconsideration request puts forth the point that the IETF should not be implicitly endorsing experiments that conflict with one another, as that would make it harder to extract useful results.
The conflicting part of the Sender-ID specification disrespects the substantial history the SPF specification has outside the IETF, Mr Mehnle added. Through its decision, the IESG also ignores SPF’s deployed base.
While it may seem like an esoteric technical issue, if Microsoft were to remove backwards incompatibility with SPF v1, it very likely would have to drop its claims that SIDF enjoys a huge groundswell of support.
SPF community members are thought to be privately peeved that Microsoft counts the number of domains supporting SPF v1, as well as the later versions that Microsoft helped create, when it quotes adoption statistics for SIDF.
The company said in March that 750,000 domains are publishing SPF records, the method used within the Sender ID Framework, but the SPF community says that the majority of this support pre-dates Microsoft’s involvement with SPF.
If the IETF did drop SIDF’s experimental designation, it would be a PR blow for Microsoft, but would likely prevent the company from pressing on regardless. The company plans to incorporate SIDF checks in Hotmail soon.
But the SPF Council’s request is not a slam-dunk. Indeed, it may backfire, with some participants in IETF discussions already suggested that the IESG should publish neither SIDF nor SPF until their differences can be worked out.
