Click the comments link on any story to see comments or add your own.
Subscribe to this blog
18 Jun 2005
Sender-ID is Microsoft's entry in the anti-spam technology sweepstakes. It's a scheme developed during last year's MARID fiasco in which their earlier Caller ID propsal and Meng Weng Wong's SPF were merged, sort of. Microsoft's patent claims and the details of the patent license they offered so severely distracted MARID that the merits or lack thereof of Sender-ID didn't get much attention.
Now, Microsoft's Hotmail, which also handles the mail for MSN users, says that they will shortly be checking Sender-ID on all mail to Hotmail and will show a yellow warning box on all mail that doesn't pass. What should senders do? Ironically, for most senders, the best answer is nothing.
As I noted last fall, Sender-ID works best for senders who send all their mail from a fixed place, that is, bulk mailers. This category includes both ESPs (email service providers) and spammers.
Sender-ID, like SPF, does path validation. A mail sending domain publishes an SPF record listing the places where its mail should come from, and if a message from that domain comes from a place listed in the SPF record, it passes. Spammers have shown that they're quite able to publish SPF records to validate their mail just as well as anyone else, and Ciphertrust reported a few months ago that a majority of the mail they saw that passed SPF was spam.
Sender-ID, as defined during MARID, could either use the original SPF record format, now known as v1, or a new slightly more flexible format known as v2. Both due to the patent license and technical issues with Sender-ID, SPF development has gone along on its own using v1 records, and the vast majority of published SPF records are v1. Nonetheless, Hotmail says that they will only check v2 records, and if a domain has no record, they'll treat that as a Sender-ID failure and display the yellow warning box. Clearly, this plan has a lot more to do with Microsoft's corporate politics than it does with protecting their users from spam. ESPs will doubtless publish v2 records, as will spammers. But for all the other domains that don't have v2 records, what should they do?
One approach is to say "OK, they want a record, we'll give them a record.'" For domains that aren't ESPs, it's difficult to impossible to come up with an accurate list of the places that could legitimately send mail, once you consider mail forwarders, roaming users, and a laundry list of slightly unusual but perfectly legitimate mail sending approaches. (Sender-ID shares this problem with SPF.) Fortunately, it's no trouble at all to publish a v2 record that says that all mail from anywhere is authorized, thereby making the yellow box go away:
taugh.com. IN TXT "spf2.0/pra +all"
For that moment, that's what we're doing with our domains as an experiment.
But a friend of ours pointed out that if all the ESPs and spammers publish v2 records, and most other places don't, mail without the the yellow box will all be bulk mail, and Hotmail users will quickly decide that no box means not spam. So our advice is to ignore Microsoft's blandishments, do nothing, and wear your mail's yellow box with pride.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.