spf-discuss
[Top] [All Lists]

SPF: Not just a clever idea

2004-06-07 01:07:01
Despite some negative comments about the technical details of the merger, I have to say that overall I am quite pleased with the new direction set by Meng, and my reasons for feeling pleased are for the most part non-technical.

Because I think the technical aspects of the merged proposal have been getting a lot of bandwidth and attention, I would like to dedicate some time and energy to discussing the non-technical facets of SPF and my feelings about the future.


SPF is not a new idea. SPF is based on an idea whose time has come: specify outgoing mailers and use that info to permit only certain IPs to use your domain name. It is not the first of its kind: SPF owes its origin to RMX, DMP, and others (Vixie, Church, Danisch, Feyck, etc).

I think SPF stands the best chance of succeeding out of all of these, but not because the idea is dramatically better. SPF owes its success to the hard work of its community members, most notably Meng, but there are plenty of others. The hard work has not been in thinking up clever ideas... the hard work comes in talking to others, expressing our ideas coherently, listening to others, understanding roadblocks, working together to solve them, producing working code, testing, changing, etc.

So, for this reason I believe that SPF's strongest asset is not its spec, but its people. The community of people that has sprung up around SPF is a great cross-section of the email industry. Each of us has our own concerns, constituents, agendas, etc., but we are all united in a common cause: stop email forgery. For this cause we have donated our ideas, time, energy, enthusiasm, and other resources.

My personal feeling is that ending forgery will take a long time, so we had better get started, and get as many people on board as we can, as soon as possible. To me, which particular interpretation/expression of the idea we choose to get behind is not as important, but getting rolling soon, and getting many allies early in the game are most important. If we are all pulling the same direction, we can make a lot of progress quickly, and a lot of things that used to be impossible now become possible. If there are minor differences between two expressions of the same idea, I believe it is much more powerful to pick one and go with it, together, than to stick to an idea that we think is superior, but turns a potential ally into a competitor.


Also, I believe that Microsoft is not the enemy. A lot of people have strong feelings that Microsoft is evil. I don't. They are simply another player, and they are a big one... they control servers (exchange) MUAs (outlook) and one of the largest email services (hotmail).

It is a testament to our success that Microsoft approached Meng to talk about convergence. Most of the time when Microsoft wants to master a new technology, they just go out and do it. In this case, enough of their customers and partners said "Hey, hang on, what about SPF?" that they decided to take the time to talk to Meng to see if convergence was even possible. Meng should be proud that we got to this point, and so should we all be.

Still, we are not the only fish in the sea, and MS Caller ID is not a slouch of a proposal either. If there were no convergence, or if the deal is scuttled for whatever reason, SPF Classic can continue to go its way and MS CID can continue to go a different way. Eventually one or the other would probably win out, but this would mean dividing our resources, competing for attention, etc.


In exchange for gaining a powerful ally, the New SPF shifts its attention to 2822 headers instead of 2821 MAIL FROM. Many folks see this as a step down, because we can't check the authorization before the DATA phase -- at least not at first -- and the bounce address is protected indirectly, not directly.

This difference -- 2821 MAIL FROM vs. 2822 From:/Sender: was a big concern in the IETF MARID working group as well. MARID, true to IETF form, is full of literally dozens of great ideas, some of which have a chance of working and some which don't. But again, great ideas by themselves don't solve problems... hard work solves problems. The MARID camp was pretty much split due to disagreement about 2821 vs. 2822, much the way SPF and MSCID were split a few weeks ago. An agreement with MS allows us to present a consistent story to MARID, which I think is crucial to getting an RFC drafted and approved.

Finally, being able to announce a convergence of the two proposals at the INBOX email conference was a huge win. This will help us get the message out there, and help us push through many barriers that would have been impassable before now. There is a huge difference between asking an ISP to do something because we think it's right and we hope it won't break anything, and getting users pumped about it so that they ask their ISP for it. (Same goes for corporate IT, forwarder, whatever)


So. Those are my reasons for supporting the New SPF. I hope that the SPF support community will pull together under the common banner, which is still "Stop email forgery". I hope that the technical differences will give us some spirited debate, and then get resolved quickly so we can all stand together again. We have built up a good head of steam and have got people moving in the right direction. I would not like to see people get lost in the details, or decide to throw themselves on the tracks because it's not exactly the same expression of the idea they originally had in mind.


Thanks for your time.
gregc

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>