schnell at gmail
Oct 23, 2004, 2:07 PM
Post #3 of 8
On Sat, 23 Oct 2004 13:43:04 -0500, wayne <wayne [at] midwestcs> wrote:
> In <417A7FC9.3020304 [at] convio> David Crooke <dave [at] convio> writes:
> > We're (among other things) an email marketing provider, and getting
> > close to taking the plunge with our clients and having them create SPF
> > records.
> > He're a practical question:
> > Meng has been working to get Microsoft on board and came up with the
> > hybrid standard labelled "Sender ID", which if you follow it to the
> > letter says that you (as a mail sender) can publish either Caller ID
> > or SPF, and Caller ID takes precedence if you have both, because the
> > receiving MTA should perform the DNS lookup for Caller ID first.
> There are a lot of misconceptions in this paragraph, which really
> isn't too surprising considering how messy the whole business has
> SPF is a system that has been evolving since last summer. Rapid
> changes to the standard stopped early last winter, but it has still
> been slowly evolving since. There is a move underway right now to
> solidify this standard as "SPF-Classic".
> SPF-Classic is by far the most widely deployed anti-forgery system
> (aka designated sender system) in the world, easily outnumber all
> other systems combined.
> Much more radical changes to SPF have been proposed by several people,
> including Meng, and are being debated. These proposals have gone by
> the names of "Unified-SPF" and "SPFv2" and a few others.
> Since the Unified-SPF/SPFv2 spec is still very much in flux, I can't
> recommend committing to it unless you are willing to be actively
> involved in its development.
> CallerID was Microsoft's original proposal for a designated sender
> system. From what I can tell, it has been abandoned, and the
> Caller-ID records published under Microsoft.com, and hotmail.com.
> (but, not msn.com!)
> SenderID was the proposed merger of SPF and CallerID that was
> developed during the IETF's MARID working group's life. A final spec
> was never delivered before the working group was shut down. The spec
> was about 90% SPF and 10% CallerID, and many have argued, including
> Meng, that most of the 10% from CallerID is badly broken.
> As evidence to just how committed Microsoft is to the SenderID spec,
> note that they haven't published SenderID records for microsoft.com
> nor hotmail.com. If they did publish records, they would likely use
> their SenderID Wizard, which creates invalid records. Yes, Microsoft
> knows that their wizard is publishing broken records, but say that
> because they outsourced the job to India, they can't easily change
> There is only one system out there that I know of that implements
> SenderID, and that's sendmail's SID-milter. Unfortunately, it breaks
> the SenderID spec by using the wrong records. (Breaking the SenderID
> spec means that you can't get a license from MS for their patents over
> SenderID. Sendmail is currently ignoring this because the patents
> haven't been issued yet.)
> So, no, you can't publish either CallerID records or SPF records. You
> can publish SPF-classic records, which are the most widely used. You
> can publish CallerID records, which only a very few sytems use. Or,
> you can publish SenderID records, which almost no one uses.
> > From the receiving MTA perspective, a lot of open source types have
> > said they will only support the SPF half, due to concerns about IP
> > restrictions around caller ID. This is fine if all the sending
> > domains publish records for either SPF or both mechanisms in their
> > DNS.
> > From what I can see out there in the world, the majority of the big
> > guns have SPF only, e.g. AOL - execept for Microsoft, who have only
> > Caller ID records in their DNS.
> Right. And MS has abandoned CallerID and its actions speak loudly
> about its lack of commitment to SenderID.
> > *What I want to know is, from an inbound perspective, does Hotmail
> > (and other MS ISP properties) currently implement /Caller ID/ or do
> > they implement /Sender ID/, i.e. will Hotmail look at an SPF record
> > if there is no Caller ID one?*
> I do not believe that any MS domain ever implemented any designated
> sender system, either CallerID, SPF, or SenderID. I personally think
> that it is very unlikely that Hotmail will implement any system within
> the next year or two, maybe much longer. Remember, Hotmail doesn't
> even do simple checks such as making sure the sending domain exists.
> Such DNS looks are "too expensive", or that's what I've been told that
> hotmail folks have said.
> The folks from MS that have been involved in the CallerID and
> SenderID proposals have all been from the MS Exchange group and the MS
> PR group (with a little involvement from the MS Lawyer group.) The
> Hotmail folks have been *very* quiet. MS is a big company, I'm sure
> that it is hard to get everyone going in the same direction.
> > If not, then as far as I see it the SPF / Sender ID effort is still in
> > full schism, with Microsoft using only their proposed proprietary
> > standard, and the rest of the world using SPF.
> Yes, there is a schism, but it is only sendmail that is using MS's
> proprietary standard. Even sendmail's milter implements "SPF-classic",
> although it appears that they don't implement any of the SPF-classic
> specs, but rather SenderID with the MAIL FROM. There were several
> incompatible changes made when SPF was evolved into SenderID, so I
> would not trust this milter to correctly implement SPF-classic.
> > Recent advice from the Direct Marketing Association (DMA) was to
> > implement "all three" - Caller ID, SPF and Domain Keys, which makes me
> > suspect it is not current with the technology - is Yahoo! actually
> > doing anything about Domain Keys any more, I thought they had decided
> > to back SPF? They don't currently have SPF or Caller ID published.
> It appears to me that the Yahoo (and sendmail) folks are very actively
> trying to create a solid DomainKeys system. However, it appears that
> it is still being worked on and there is no stable standard yet.
> I think DomainKeys is an interesting idea, but it has a few critical
> problems with it that make it not work very well right now. I hope
> they can get it to work.
Excellent synopsis. Can you talk about the DomainKeys critical problems?
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2