Email Battles’ discussion with Meng Weng Wong, the father of the Sender Policy Framework method for sender authentication of email messages, continues.

EB: In your estimation, what makes SPF the best sender authentication method?

I don’t think it’s the best. I think its second best. Something along the lines of PGP (Pretty Good Privacy) or DKIM (DomainKeys).

Best tends to succumb to good enough. We’ll eventually see a combination of SPF and cryptography. Once we have those together we’ll have a really good solution. It takes work to combine the two.

EB: Some network managers moderate SPF’s clean, pre-data Pass/Fail technique by passing failed messages on for further tests or simply including SPF’s Fail as part of an overall message score, a la SpamAssassin. What do you think of these strategies? Can you share any scenario wherein an SPF dilution strategy may be valid?

Yeah. We’re in a transitional phase where nothing is going to be 100%. SPF, sender accreditation and sender reputation are all pieces of the puzzle. Once you do have them all together, it’s a full system. We’ve been building out parts.

EB: A number of SPF supporters complain that Microsoft inflates claims for the number of adopters of Sender ID by adding them to the SPF users, since SPF entries in DNS can be used by both protocols. What do you think about Microsoft’s high adopter counts?

I think they’re great. They’ve gotten us most of the way to where we want to be.

In fact, both SPF and Sender ID fall back to a sort of default case, when there is no record published. It works for small domains. Only the tough cases need to publish. Getting 100% adoption isn’t really necessary. It’s like avoiding peanuts. You only have to do it if you’re allergic to peanuts.

I’m really happy. I think that’s OK.

It’s like the Protestants. If you ask how many Christians exist, are they going to count Catholics?

EB: How will the SPF Council react and, more importantly, how will SPF adoption be affected, if the Internet Engineering Task Force (IETF) goes along with Microsoft’s request that Sender ID be allowed to use SPF data in DNS?

I don’t think it will be the end of the world.

EB: How ’bout if the IETF discontinues approval of one or both projects?

That’ll be disappointing, if two brothers can’t get along so they take the whole family down with them. Because it’ll be like the story of Solomon and the baby. (fyi: When presented with two women bickering over ownership of a baby, King Solomon offered to split it in half. Nobody wins. –ed)

Possibility: I think the internet community will do what the internet community wants at the end of the day. The internet community looks to the… “idea”… for leadership. If the… “idea”… can’t provide it, that will be a turning point, and it’s time to look elsewhere.

EB: Sounds like this whole sender authentication thing is pretty much up in the air. What should Email Battles readers do today?

Publish your SPF records… and get ready for DomainKeys.

If you more aggressively filter SPF Fails, that should work for you. You can do that today.

SPF Pass, in combination with whitelisting good domains, should bypass spam filtering and help you reduce false positives.

If you happen to be an Internet millionaire, talk to me. Maybe we can set up a foundation to get something done. Free markets aren’t going to get you all the way. It’s a lesson we keep learning and keep forgetting and we have to learn it anew each time. Which brings me back to my original point that we need real Internet governance…

EB: …and, thankfully, the end of the interview… So. What are you working on now?

The other legs of sender verification. Reputation and accreditation are really interesting problems. I’m encouraged by a lot of sci-fi authors I read. In their futures, reputation is as much a part of the future as space travel.

I’m building an infrastructure for reputation systems to flourish in. It is not a reputation system. It supports them. So far its been met with really good reception.

SMTP is here to stay. It could be in the same way as SPF is here to stay. If we’re unable to save it with Sender ID and DomainKeys it’ll be with RSS. To that end, I’ve written a white paper on this. RSS email, based on a pull model rather than push, where you subscribe to everyone in your address book.

See Also: