On Thu, 7 Oct 2004, Jeremy Pullicino wrote:
Hi,
According to my research this is how SPF evolved. If anyone has more
information or would like to correct me, please do so. Since this is off
topic it might be better if you answer me directly
(jeremyp(_at_)gfi(_dot_)com).
I'm posting it public despite the specific request by Jeremy because
there have been so much inaccurate information and reminding everyone
about history of SPF here would not hurt. So here is timeframe of what
led to SPF as far as I could put it together (and please do correct if
something here is wrong):
Dec 14, 1997: Jim Miller sends Paul Vixie email with his idea on verifying
smtp2821 mail from by means of outbound-smtp MX dns records:
http://www1.ietf.org/mail-archive/web/ietf/current/msg31005.html
Note: This event and date are not confirm by public records and are
based solely on information provided by Paul Vixie
June 1, 2002: David Green publishes his draft called "Mail-Transmitter RR"
on namedroppers mail list (the draft specifies new dns type
MT dns RR but does not say what format it would have)
http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg00656.html
Note: Of interest is also that this is first mention of the
"Authorized-By" SMTP header which later appeared in other
IETF draft with no referece given to Mr Green
June 2, 2002: Paul Vixie in response to David Green's post publishes draft
called "Repudiating MAIL FROM" on namedroppers mail list.
Paul Vixie claimed he wrote it few weeks before and that
he based on the idea previously given to him to Jim Miller:
http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg00658.html
Note: The email post came as of June 2nd for most mail list subscribers
although actual Date header listed June 1st date as set by poster.
The draft from this post appeared many times on other mail lists
sometimes with different author-entered dates varying from May to
June. The last version of the draft has date of June 6 on top
and May 26 in the middle of the draft:
http://sa.vix.com/~vixie/mailfrom.txt
Dec 3, 2002: Hadmut Danisch publishes as Internet draft the first version
of RMX ("A DNS RR for simple SMTP sender authentication"):
http://www.danisch.de/work/security/txt/draft-danisch-dns-rr-smtp-00.txt
Hadmudt claims he was not aware of the Paul Vixie's or David
Green's drafts when he came up with the idea. The actual draft
specifies using new DNS RR type RMX to publish either one ip4
network block or redirection to APL record.
Note: For more information on future versions and development or RMX
see http://www.danisch.de/work/security/antispam.html
Mar 28, 2003: Gordon Fecyk publishes as Internet draft the first version
of "Designated Senders Protocol", copy of this draft is
at http://www.potaroo.net/ietf/idref/draft-fecyk-dsprotocol/
The draft proposed "blacklist-like" format for authorizing
use of RFC2821 Mail From name:
${REVERSEDIP_1}.ds.client.smtp.tcp.${DOMAINNAME}. A 127.0.0.1
A later version of the draft (starting with version 1
published on April 11, 2003) it started using TXT dns record:
${REVERSEDIP_1}._smtp-client.${DOMAINNAME}. TXT "ds-allow"
As of version 2 of this draft, which was published on Apr 28, 2003
the name had been changed to "Designated Mailers Protocol" and
thereafter many started to refer to it as DMP. As of Dec 2003
the draft name was changed to reflect that as well and its last
published version is draft-fecyk-dmp-01.txt. As of version 3 of
of fecyk-dsprotocol draft the format was changed to:
$REV-ADDRESS-1.$ADDRESS-TYPE._smtp-client.$FQDN. TXT "dmp=allow"
Note: For more information on development of DMP, please see
http://www.pan-am.ca/dmp/
June 10 2003: Meng Weng Wong starts SPF-discuss mail list. The first
post there contains first version of "Sender Permitted From"
(SPF draft is then for some reason designated as version 03) and
it is clearly a derivitive of DMP (90% same text). The post is at
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200306/0001.html
The draft format at the time is
${ADDRESS}.${ADDR-TYPE}._smtp_client.${DOMAINNAME}. TXT "spf=allow"
The draft also introduces redirection by means of MX records:
*._smtp_client.${DOMAINNAME}. MX 0 ${OTHERDOMAINNAME}
Additionally that draft introduces "SPF-Received" header line
(but does not describe it well) and refers to Sender Rewriting
Scheme at web address http://spf.pobox.com/srs/ (which appears
to have been an earlier work then SPF). The latest version of
that type of SPF protocol (based on DMP) is available at:
http://spf.pobox.com/draft-fecyk-dsprotocol-03.txt
August 2003:
This maybe first post by Wayne Schlitt to SPF, he introduces idea
of what later become SPF "mx" operator:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200308/0047.html
David Saez on Aug 19 2003 introduces "spf-include" option:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200308/0050.html
and from what I understand this maybe start of when SPF become
more then just "spf=allow" syntax.
September 2003:
The ideas of multiple operators are slowly taking shape and
you can now see "mx", "a" and a default (i.e. "all"):
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200309/0039.html
ASRG is trying to coordinate development of "mail-from" proposals
into one proposal that would merge ideas from all authors:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200309/0047.html
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0002.html
October 2003:
Paul Wouters urges to use new RR instead of TXT:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0065.html
Meng some days later also says SPF needs new RR type:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0252.html
On Oct 10 2003 Meng Weng Wong posts new concept and now it begins
to look more like SPF you see today:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0121.html
Among the things mentioned are:
"v=spf1" to indicate SPF "policy" record in TXT
SPF records are to be placed in specially reserved for its
purposes prefix policy._smtp_client.domain.com instead of
DMP style $ip.in-addr._smtp_client.domain.com
SPF directives in the "v=spf1" record are described as
"[Negation] Mechanism ... [Scope] Default [Explanation]"
(Scope, Default, Explanation are called modifiers,
everything else before that are mechanisms)
The list of mechanism at the time is :
"MX | A | PTR | DNSL | IPv4 | IPv6 | INCLUDE | LocalPart"
Scope modifer is described as
scope= "envelope" | "header-from" | "errors-to"
Default= values are described in more detail and now
include "softdeny" (which we know know as "~" softfail):
default=("unknown" | "softdeny" | "deny" | "allow")
Explanation ("exp=") is added as one of SPF modifiers
An example of SPF record proposed at that time is:
"v=spf1 mx ptr:example.net dnsl:example.com default=deny exp=test of SPF"
Wayne says SPF records can be used for things other then just email
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0205.html
On Oct 18 2003 Meng posts latest version of new SPF draft which
described full concept he introduced on Oct 10th (see above):
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0275.html
Of interest of what is mentioned there are:
Scope = [ 'envelope' / 'header-from' / 'errors-to' ]
(note: possibility of EHLO prefix is also mentioned in document)
Mechanism = [mechanism-prefix ]
( MX / A / PTR / PI / IP4 / IP6 / Include /
LocalPart / Extension )
Mechanism-prefix = ( "+" / "-" / "!" / "?" )
Default value can be full name can be short mechanism-prefix:
"v=spf1 default=deny" OR "v=spf1 default=!"
"v=spf1 default=softdeny" OR "v=spf1 default=-"
"v=spf1 default=unknown" OR "v=spf1 default=?"
"v=spf1 default=allow" OR "v=spf1 default=+"
Received-SPF header is specified with 5 possible values:
pass, error, unknown, fail, softfail
"_smtp_client" prefix is now used for placement of SPF records
Also here is example of what LocalPart meant then:
LocalPart of "rlp=+- bob+foo-bar(_at_)example(_dot_)com" would
resolve to
bar.foo.bob.lp._smtp_client.example.com
On Oct 18 Mark Lentzner joined SPF and he immediatly had number of
comments in regards to irregularities with proposed syntax
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0276.html
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0278.html
As a result of his comments and irregularities in text Meng
changed it so that checks are now done directly at domain
instead of _smtp_client prefix
On Oct 27 2003 Philip Gladstone introduces idea of macros as
a replacement for LocalPart syntax:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0465.html
As a result of the Oct 18th posted draft there are lots and lots of
suggestions of how it could be improved - October 2003 was a busy
month for SPF based on archives. I have read < 10%, but it clearly
appears the real birth of what is now SPF was in that month.
Meng also mentioned that new syntax in the way he introduced it is
primarily result of his talks during RMX unification effort at ASRG:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0389.html
P.S. If there is interest in seeing this information, maybe SPF should
consider posting someting like this on the SPF website...
----------------------------------------------------------------------------
Also here are few other dates I found interesting during this research break:
May 6 2003: Microsoft's Bob Atkinson comments that he prefers TXT to
new RR record of RMX and says he likes DMP:
http://www1.ietf.org/mail-archive/web/asrg/current/msg04305.html
August 2003: Microsoft first mentions in public what will become CallerID:
http://news.com.com/2100-1038_3-5058610.html?tag=fd_lede1_hed
See also Meng's comments on wanting to work with Microsoft then:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200308/0005.html
Sep 11, 2003: Mark Jason Dominus first proposed ideas that are basicly what
is now being used in BATV proposal by John Levine and Dave Crocker
(see MARID WG list and new ietf-clear bof):
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200309/0017.html
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/