MAAWG said its members have implemented and studied Microsoft Corp’s Sender ID Framework and the open Sender Policy Framework specs, and concluded it neither endorses nor discourages the use of SPF or Sender ID.
Both specs propose ways for email users to determine whether email they receive came from the place it professes to come from. But MAAWG, confirming what the proponents of both specs already acknowledge, said neither spec is perfect.
At best, SPF and Sender ID are comparable to a license plate issued by a foreign country: they show that the vehicle is permitted to drive in that country, but make no indication as to whether that country’s regulations are similar to yours and we can only assume that the driver inside is permitted to use that vehicle, MAAWG reported.
That’s a creative way of saying that neither spec fully solves the problem of spoofed email headers. MAAWG confirmed that there are several implementation scenarios, such as mailing lists and mail relays, where the two specs fail.
It doesn’t say you shouldn’t implement them, but we’re not endorsing either approach either, said Jerry Upton, executive director of MAAWG. Companies need to take the limitations into account when implementing the specs, he said.
SPF, which is also supported in SIDF, has been deployed at thousands of organizations worldwide. Microsoft is pushing SIDF heavily through its Hotmail service. The Internet Engineering Task Force has put both specs on the back-burner for two years, giving them the experimental protocol designation.
