On Sat, 11 Jun 2005, John Glube wrote:
Hmm ... The IESG considered that SPFv1 was best suited for
experimental status when it called for individual
submissions last October after closing MARID.
Respectfully, let me disagree and say that what happened with MARID
statement at its closure had to do largely with MARID itself and
politics and discussions proceeding it.
This is not to say that I know if IESG thinks its better suited for
experimental or standard track (especially as it concerns SPF1 which was
not discussed at MARID) but that is something that we've yet to find out.
I do think its a long shot going after standard and give it 1/4 chances
myself, but in this case trying to overshoot is not necessarily bad.
The difficulty is that it seems those who have done actual large scale
testing of SPFv1 don't agree with the analysis that the "protocol works."
The protocol may work for some but not for others. Certainly given
complexity of email path and forwarding being fairly common for senders
from larger domains, the chances of it not working for those domains are
good and that is why they are choosing "~all".
Until forwarding is resolved this will continue to be the case (BTW, let
me remind that is what I proposed in recent paper and in fact it has 100%
chance of working, but it does require originating hosts to add signatures).
I am referencing the MAAWG document filed as an Internet Draft dealing
with SPF.
That draft was not that good and made number of errors as well as
was based on what MAAWG members wanted to hear and had every such
protocol that members support listed.
In addition, you have the decision made by Outblaze sometime ago to
remove its SPFv1 records, which was made public in April.
Overkill. Having changed it to ?all would have been enough.
As well, if you read what Andy Newton, Carl Hutzler and John Levine
recently wrote on the Marid mailing list and in particular Andy Newton's
suggestion about a framework approach, reading between the lines, I will
reiterate my conclusion:
"we have learned a lot with SPFv1 - useful as an aid in
filtering, yes - but for anything else, no."
I've been thinking about that. My conclusion is that if people want
to use it only for filtering that is fine and that SPF has enough
expressiveness to allow domain owners to indicate if that is all they
want or not (in fact ?all is exactly that).
What you're saying though is that SPF should not "recommend" people
use it for anything else and should be neutral about it, i.e. that
| If domain owners choose to publish SPF records, it is RECOMMENDED
| that they end in "-all", or redirect to other records that do, so
| that a definitive determination of authorization can be made.
be removed and then it would have better chance with IESG and with
others who want to use SPF for whitelisting like some MAAWG members.
That is reasonable thought and would like to see discussed further
on this list.
To the best of my knowledge MSN/Hotmail is only using PRA
checks for filtering purposes and not to reject mail.
MSN/Hotmail has added a header to the message indicating the
SIDF result. I suggest this will be the case when PRA checks
are incorporated into Microsoft Exchange at the end of this
quarter.
Consequently if this is the way its going and SPF Community would
like to see things patched with Ted Hardie and IESG regarding SID
and SPF statement that using SPF1 records for other identities is
"NOT RECOMMENDED", then one possibility s to replace "NOT RECOMMENDED"
with "MAY" use PASS result only for checking other identities but
MUST NOT use FAIL result. Certainly this would preclude possibility
if people's mail getting incorrectly rejected while still allowing
use of positive result for whitelisting.
* Given the issues surrounding the SIDF protocol, this is
why SIDF is being considered for experimental status and not
for standard track.
I take your point and for now the IESG has refused to give
SIDF a passing vote for consideration for experimental
status.
I'm personally against SIDF going even for experimental status,
simply put it is incompatible with existing standards and this
should be enough to squash it if it was not for Microsoft.
However given they would agree to not reject on FAIL with spf1
and agree to not use Resent- fields at all, I would withdraw
my objections to it (the only thing is it would probably no
longer be SID and will just be what I call "SPF - sender identity"
verification.
I may be wrong, but my opinion remains that the IESG will
not approve SPFv1 for standard track.
Do you think that given above ideas about removing recommendation
for "-all" publishing by domain owners and changing other identities
statement to "MAY use PASS result and MUST NOT use FAIL result",
this would have better chance of gaining consensus and subsequently
getting standard status from IESG?
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/