While some are still pushing for Microsoft’s Sender ID Framework specifications and SPF to be become more tightly reconciled, as had been planned last year, technical differences between the two mean this still hasn’t happened.
Microsoft Corp and the SPF community have taken their respective specs off of the IETF standards track, but both say they will still pursue the eventual standardization of the controversial technology.
Microsoft executives told ComputerWire that the company has asked the IETF to designate SIDF an experimental protocol, a designation used for specifications that may one day become standards but are not currently recommended for general use.
Meanwhile, a revised draft of SPF that addresses IETF concerns will be submitted in the next couple of days, in the hopes of also getting an experimental designation, according to independent developer Wayne Schlitt, one of the authors of the draft.
SIDF and SPF, and other specs, are designed to give email users an idea of whether email they receive really did come from the purported sender. The idea is to help reduce first fraud and then spam on the internet.
We would hope that after some period of adoption we could go back to the IETF… maybe move back onto the standards track, said Harry Katz, program manager at Microsoft’s Safety Technology and Strategy Group.
When that will happen or how that will happen, I don’t know, he said. But fundamentally, if lots of people adopt it, its becomes maybe not a capital-S ‘Standard’, but a ‘standard’ anyway.
SIDF supports SPF, and Microsoft appears to have co-opted some SPF adoption statistics to demonstrate support for SIDF, saying in a press release Wednesday that 750,000 domains currently support SPF.
Schlitt, who conducted his own research, said he found 740,000 domains in .com, .org and .net that publish SPF records, but only 7,000 domains that explicitly supported the SIDF non-SPF method of authenticating senders.
Under both proposals, email senders put a list of their authorized mail servers in their domain name system records. Email recipients can then do a DNS lookup to check whether mail they receive came from an authorized source.
The idea is to mitigate, although perhaps not completely eliminate, the problem of address spoofing. Spammers and fraudsters often spoof their email headers to make it look like their junk originated from a trusted source.
SIDF and SPF propose two different ways of doing this lookup, however. Microsoft’s PRA (purported responsible address) lookup looks at the from headers in email, whereas SPF looks at the bounce address, Katz said.
To use a metaphor, Schlitt said: Instead of looking at the address of the envelope, Microsoft are looking at the address on the letterhead.
Last October, an IETF working group called MARID, which was trying to merge the two proposals, was terminated. The IETF said the group had fundamental disagreements and had been sidetracked by discussion of Microsoft intellectual property claims.
IETF director Ted Hardie said at the time that MARID was complicated by moving out of the realm of pure engineering by the need to evaluate IPR and licensing, a reference to Microsoft patent claims. The politics are yet to be resolved.
The SPF community appears to be divided into three broad camps: the Microsoft-haters, who dislike whatever comes out of Redmond on principle, the technology purists, who believe SPF is simply the superior spec, and the negotiators, those who are trying to bring Microsoft back on board, possibly by making technical concessions.
Schlitt said that while it makes sense from a marketing and adoption perspective to get Microsoft more involved, it does not make sense to make technical concessions to SIDF, which he said is not as comprehensive a solution.
I believe SPF is superior to Sender ID, because there are fewer cases where it causes problems, he said. Neither one of them is perfect… But Sender ID is weak in every place SPF is weak, and in a whole bunch of other places.
Neither one of the specs handles forwarded email very well, Schlitt said, but SPF handles mailing lists a lot better than SIDF does, for example. A third spec, from Cisco, called Identified Internet Mail, is totally different but complements SPF very well, he said.
I don’t see a good technical compromise [between SPF and SIDF], Schlitt said. I guess for political reasons you could say ‘Lets go with Microsoft because maybe they could help promoting it in the market’.
Perhaps because SPF has the early-adopter advantage, SIDF continues to support SPF for now. And it appears as if the IETF is set on carrying SPF and SIDF in the same bucket. A directorate of the group has been set up to study both proposals.
In the meantime, it will be several months before either proposal can make it onto the official IETF standards track. For now, both groups are pushing for recognition as experimental protocols, which means they would be acknowledged pre-standards.
According to IETF guidelines, the usage of a protocol with the ‘Experimental’ designation should generally be limited to those actively involved with the experiment, as opposed to the broader internet community.
However, three quarters of a million users to date means that practically speaking it has already gone beyond the experimental phase, and that it will be a fight in the marketplace for recognition as the de facto standard. And it appears, so far, that SPF is winning.
