spf-discuss
[Top] [All Lists]

draft: SPF community's position on MARID closing

2004-09-24 10:38:22
So someone had the idea that we should have an Official
Statement to release to the Media.  Would anybody like to
help iterate this?  Let me know if I left anything out, and
if people are reasonably comfortable with it we can put it
out there on a web page or something.

                           * * *

While the disbanding came as a bit of a surprise, I now see
why it was a necessary move.  There were a number of
proposals on the table; because there was little consensus
that we should pick just one, the co-chairs decided to
pretty much publish all the contenders as experimental
proposals, and let them evolve and let the market decide.

This actually makes sense.  Why?  Good standards are not
unilaterally decided by committee and then announced for the
world to adopt.  Good standards evolve organically, and only
after the world has already adopted them, does the IETF step
in, formalize, and bless them.

Spam was such an urgent problem that we thought we could
take a gamble: we tried to short-cut the process.  We
thought, "wouldn't it be much more efficient if we could
just tell everybody to do the right thing?"  But we found
that people had different ideas about what the right thing
was.

What I've learned from this is: there are many right things,
and we'll probably end up doing more than just one.  An
elephant is like a wall, like a spear, like a snake, a tree,
a fan, a rope.  In the same way, sender authentication needs
more than one approach: we need to authenticate the HELO
hostname, the return path, and the headers, and besides that
we'll also need crypto.

So that's our plan.  The SPF community will pick up the
pieces and define a "Unified SPF" standard.  Unified SPF is
the whole elephant.  It will work better than any one of the
proposals alone, better even than SPF Classic.  We went into
MARID holding that banner, and we're coming out with a
patchwork quilt.

Picking just one authentication technique is like saying
"henceforth, all gas stations shall sell only 89 octane."
But the market wants 87, 89, 91 and diesel too.  There's
lots of room at the pump.  What does the future hold?  All
of the above.

Facts:
  an estimated half million domains have published SPF
  records.
  
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200409/0746.html

  Major providers are checking SPF records; Microsoft has
  stated by Oct 1; GMail is already checking (you need to view
  full headers); and AOL has plans to convert its IP-based
  whitelists to SPF by the end of the year.

The SPF community plans to take the existing records and
squeeze as much use out of them as we can.

Meanwhile, working with Microsoft on Sender ID, we have
defined a spf2.0 specification which will be backward
compatible with the spf1 records out there; and it will give
senders in unusual situations greater expressiveness.

So even though the IETF group is officially disbanded, the
show will go on.  MARID may be dead, but SPF is not.
http://www.circleid.com/article/765_0_1_0_C
http://www.circleid.com/article/742_0_1_0_C