Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

31 Jul 2005

SPF loses mindshare Email

MAAWG is the Messaging Anti-Abuse Working group. It was started by Openwave, a vendor that sells e-mail hardware and software to large ISPs and originally consisted only of Openwave customers, but has evolved into an active forum in which large ISPs and software vendors exchange notes on anti-spam and other anti-abuse activities. Members now include nearly every large ISP including AOL, Earthlink, Yahoo, Comcast and Verizon is a member, along with ESPs like Doubleclick, Bigfoot, and Checkfree, and vendors like Ciscom, Ironport, Messagelabs, Kelkea/Trend, and Habeas. They've also been quietly active in codifying best practices and working on some small but useful standards like a common abuse reporting format.

Earlier in July their technical committee quietly released an evaluationn of SPF and Sender-ID. Although it is worded very tactfully, the message is clear from phrases like;

While MAAWG neither endorses nor discourages the use of SPF or Sender ID, the technical committee's findings highlight real-world risks to the delivery of legitimate e-mail when the specifications are implemented.

At about the same time, Earthlink equally quietly removed the SPF records they'd been publishing for at least a year. That was particularly surprising because SPF originator Meng Wong had been working with Earthlink to get their SPF set up. If Meng can't make SPF work, who can?

I particularly look forward to see what happens in November when Hotmail says they will start showing a yellow warning box (the Big Yellow Box Of Death, or BYBOD to the cognoscenti) on any incoming mail that doesn't pass Sender-ID. With no SPF records at all, Earthlink's mail won't pass Sender-ID, and will, we assume, be 100% BYBOD compatible. Will Hotmail blink and add their own synthetic SPF records for Earthlink? Will Earthlink publish SPF records that only Hotmail can see (and if they do, how could we tell?) Should be interesting.

(Claimer: most of MAAWG's members are companies that pay a substantial membership fee, but they also have a few invited individual members, including me.)

posted at: 23:57 :: permanent link to this entry :: 1 comments
posted at: 23:57 :: permanent link to this entry :: 1 comments

comments...        (Jump to the end to add your own comment)

Much ado about nothing
We had concluded our testing and recognized that real-world deployment of SPF and SenderID posed serious risks to the deliverability of legitimate email. We believe it is better to publish no record at all than to publish a record that may be subject to misinterpretation. I alluded to this in Will Sender ID Kill Spam? on July 8.

(by Rantification 03 Aug 2005 16:53)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs


11 days ago

A keen grasp of the obvious
My high security debit card
300 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.