spf-discuss
[Top] [All Lists]

Report on the Email Authentication Summit

2005-07-21 10:16:40


Hi everyone!

Yes, the Email Authentication Summit ended a week ago.  Yes, I should
have sent a report much earlier.  No, I don't have a good excuse,
other than mismanaged priorities.  So, better late than never, here is
my report:


The Email Authentication Summit was held in New York City on July
12th.  It was a huge success.  Originally, they had hoped to get 50
people and scheduled a half-day affair.  When they received 100
registrations, they switched it to a full-day schedule.  They
eventually had to shut off registrations and turn people away.  I was
told that the official number of attendees was 475, but my estimate
based on the number of chairs used was higher.

I talked with as many people as I could, and there was obviously a lot
of interest in getting email authentication systems deployed.
Deployed now.  Deployed now, even though it is well understood that it
would involve a lot of work.


It is my understanding that Microsoft actually paid for a large chunk
of this summit, but they tried hard to make it an open "industry"
conference.  I think they were *very* even-handed with their
presentations of both SPF (mfrom) and SenderID (pra).  There was also
a lot of support for doing both DKIM (the Yahoo! DomainKey's and
Cisco's IIM merger) and SenderID.


Just this moring, the Email Auth people have put up the presentations
and webcasts of all the sessions.  See:
http://emailauthentication.org/summit2005/


One of the funnest things about the conference was meeting in person
so many people I have only known by their posts.  I got to meet George
Schlossnagle, Criag Spiezle, Phillip Hallam-Baker, Harry Katz, Meng,
Larry Seltzer, Doug Otis, Jim Fenton and a whole bunch of others.

There were a bunch of others that I wanted talk with (or talk with
more), but there just wasn't that much free time.  :-<



The whole conference was moderated by Esther Dyson and I think, she
did a very good job of running the show.  I had forgotten that she
used to be the chair of ICANN before it became pure evil. Esther did a
good job of tossing out softball questions, like asking Craig Spiezle
(Director, Technology Care & Safety Team, Microsoft) things like
"there has been a lot of controversy about the SenderID license, but
it really isn't a problem, is it?"


The actual presentations and sessions really didn't contain a lot of
information that most people here don't already know, but everything
was well done and it was good to see a lot of interest from so many
people/companies outside the core people trying to make email auth
happen.  It isn't just "us" who care.

There were lots of vendors around to help people solve their email
auth problems.  While just about everyone said they were supporting
either "SenderID" or "SPF", it was really not very clear to me whether
they actually meant the "PRA" when they said "SenderID".  If I had
time, I would have asked them about it.  It was also nice to see that
the DMA and ACT booths were empty almost all of the time.  ;-)


John Tafoya of Hotmail made a presentation on how Hotmail is showing
the PRA checks.  During the development, their user feedback sessions
told them that showing when emails *passed* the SenderID check caused
confusion, so they only emails that *fail* show up with a warning.
During the question and answer session, someone rightfully pointed out
that this was useless and bad.  It allows phishers to put in a
Resent-Sender: header that will pass, and the Hotmail users will still
see the "From: support(_at_)paypal(_dot_)com" line.  I don't recall John Tafoya
having a good answer to that.

In somewhat related news, I've heard that Hotmail is "only checking
the top 1 million domains for SPF records", and from another source
that "Hotmail creates a cache of the results of the combination of the
SPF records/connecting IP address, and that this cache has finite
size."  So, that explains why after a couple of months of logging, I
have yet to see a single PRA lookup for my domain.  Not only don't I
send enough email, but my "tracking exists:" mechanism prevents
caching.


I talked with someone from GoDaddy who was horrified to learn that
their SPF wizard doesn't work and agreed that probably what has
happened is that the bug reports just aren't reaching the right
people.  My bug report (post here previously) was sent off to the
right person (I hope) in GoDaddy, so maybe things will be fixed soon.


I also had very good conversations with both Craig Spiezle and Harry
Katz of Microsoft.  I got the impression that both of them thought I
was just a foaming-at-the-mouth anti-MS person who's only objection to
the PRA is because MS likes it.  It appeared that they felt that
talking with me, and most others in the SPF community, would just
generate anti-MS rants and thus be worthless.  When I had a chance to
explain that my objections to the PRA, and the re-use of SPFv1 records
are for *technical* reasons, they became much more willing to talk
with me.  I wasn't able to change any minds, but we had good
discussions and I think that they will be much more willing to talk in
the future.


On the issue of re-use of SPFv1, I did have a good discussion with
Harry.  Harry explained that they are really dealing with Email
Authentication as an 80/20 rule.  They want to tackle the 80 percent
of the phishing/spam that they can right now, and after they deal with
that, they will look at the other 20 percent.  They have not seen any
significant cases where the re-use fails, and by "significant", they
mean enough to prevent them for tackling the 80% that they want to
work on right now.  Harry's response to most objections is that the
domain owners can just opt-out by publishing spf2.0 records if they
don't like the re-use.

The cases of mailing not adding Sender: headers (around 20%, IIRC from
the research done during MARID) are "not significant".  Things like
SES breaking are not important and domains that use SES can simply
opt-out.  Harry did say that he recently heard objections from people
who outsource their email to ESPs, where the ESPs handle the bounces,
but don't add the appropriate headers.  This works with SPFv1, but
breaks with the re-use.  Both Meng and I immediately respond that this
was the "Margaret Olson objection" as discussed during MARID, but
Harry seemed to think that Margaret thought that the reuse was fine.

Anyway, I could not come up with any cases of re-use that were
"significant", by Harry's definition of "significant".


I pressed Harry on why not just use the mfrom identity instead of the
PRA.  His response was that the 2821.MAILFROM is not seen by users.  I
pointed out that neither is the PRA and that problem had been pointed
out earlier in the day during the Hotmail presentation.  That you
*had* to display the verified identity and that if you are going to
display something, you can just as easily display the domain name of
the mfrom.  Harry didn't have a good answer to that.

So, I guess Harry and I are kind of stalemated.  I could not convince
him that the re-use was bad enough to be of a concern to MS, and he
could not convince me that the PRA had any value above what the mfrom
already gives.



Another area of concern that I have is that it appears that MS may
well be succeeding in convincing the world that "SenderID is an
updated replacement for SPF" and that people only need to think in
terms of SenderID.  I do google news searches ever day for SPF and
SenderID.  It used to be that almost all news stories that referenced
SenderID also referenced SPF, but in the last few weeks that has
changed and now most at least half of the stores only mention
SenderID, and few stories mention SPF without also mentioning
SenderID.



-wayne