There is a new I-D for the SPF email anti-forgery system available for
review. This draft tries to document the current practices of the
~1,000,000 published SPF records and ~10,000 deployed SPF
systems that are checking 20-100million emails per day.
Discussions about this, and previous, drafts have been taking place on
the spf-discuss(_at_)v2(_dot_)listbox(_dot_)com mailing list. To subscribe or
the archives, see http://spf.pobox.com/mailinglist.html
While I have been reading this mailing list for many months and will
note any comments posted here, sending email to the spf-discuss list
or to me personally is probably better than flooding this list.
I realize that the whole subject of SPF (and similar systems) has a
certain amount of controversy to it, but for the purposes of this
draft, I am very reluctant to try debate these issues. The goal is to
document a de-facto standard. Debates about better techniques, why
SPF is evil, etc. are probably best discussed on things like the IRTF
ASRG list, SPAM-L, the NANAE newsgroup, or on spf-discuss on a
SPF does not directly change RFC2821 or add any extentions to SMTP.
It does, however, allow for domain owners to say which IP addresses
are allowed to use their domains in either the MAIL FROM or HELO/EHLO
commands. SMTP servers (SPF clients) that choose to listen to domain
owners can use this information to accept or reject email or use as
input into a spam scoring system. As such, there is a lot of stuff in
this I-D that could use a lot of review from SMTP experts. Quite a
few of you have already made many reviews of it over the last year or
so, and I would like to thank you for doing so.
My intention is that after a two week review, I will make a "final"
revised draft and ask the IESG to consider it for a Proposed Standard
 These numbers are estimates as of earlier this year. They were
pretty solid back then, and have probably grown since. I have data
to back them up and they are almost certainly underestimating the real