I attended Microsoft's meeting last week. My general impression of
Sender-ID is that it is good. At the meeting the following presentation
'Sender ID Framework Overview' was presented (the topmost item in the
chart on this page (Aug 20th version):
http://www.microsoft.com/mscorp/twc/privacy/spam_senderid.mspx).
Overall Sender-ID allows me to use existing SPF records. The difference
is the header From is used instead of the envelope From. However a
different header can be used by using an algorithm to determine what is
called the PRA. The PRA is then used for determining what domain is used
to do DNS queries against.
However, the current draft at
http://www.ietf.org/internet-drafts/draft-ietf-marid-protocol-02.txt
states that SPF2 records be used to be 'Sender-ID compliant':
"Sender-ID compliant mail originating zones MUST publish SPF2 type
records, and MAY publish TXT type records that have identical content."
At first I had an issue with this because I would have to publish 2 SPF
records (yes, I'm lazy). I also don't know if Bind supports such
records. Even if I were to use just TXT records, the requirement of a
new version still requires me to publish 2 records.
However, I think the motivation for such a change was because most SPF
records are published with the envelope from being the target of
queries. In fact at the meeting attendees expressed the desire to have a
scope specifier on a SPF record that would indicated to those checking
DNS what header was assumed to be checked against. I now think that is
pointless:
* For a message where the envelope and headers are the same one can use
the same SPF record.
* For a message where the envelope and headers are different one has to
publish 2 SPF records in order to be SPF and Sender-ID compliant. One
for the envelope and one for the header.
* There is no need for a scope specifier because the scope is determined
by the domain (Meng may have even said that, but I don't think anybody
realized what that meant, even me till today).
So how do we convince the MARID to use exisiting SPF records as is?
Sender-ID only requires a handful of existing tools to change to be able
handle verification while the new drafts requires thousands of adopters
to change their DNS records.
I should expand on the tools comment. Current tools use the envelope.
Current publishers use the envelope. That's SPF. If someone wanted to be
just Sender-ID compliant, he uses the From header. He publishes that. If
headers and envelope are the same, then he is SPF and Sender-ID
compliant. If they are different, then he's just Sender-ID compliant.
SPF tools would not find a DNS record at all. No harm, no foul.
Anyhow, I don't like what I see in the current drafts.