From Email Battles’ mailbag… An angry reader writes: “You have no SPF record. Without SPF record the receiving mail server will not be able to verify your email is really coming from your domain.”

OK. We’ll bite.

For those who haven’t been riveted to the edge of their seats following SPF brouhaha, a brief description:

SPF is a method of trying to make sure that a message actually originated from the sending address presented. To make the beast work, the sender first adds a record to each domain’s zone file in DNS. The receiving end checks the email’s message headers to see if the purported sender’s information matches the DNS entry. On match, the mail’s data is accepted, subject to any other tests.

Supporters originally promoted the technique as a way to reduce spam. They have since limited their pitch to “SPF fights return-path address forgery and makes it easier to identify spoofs.”

Email Battles noted long ago that SPF was easily derailed by loose rules on the DNS side, which result in the authenticating of virtually all email. A huge contingent of DNS managers implement SPF “loosely.” This relaxed methodology attracted spammers, who have been reported as among SPF’s most enthusiastic adopters.

In addition, SPF didn’t work well when legitimate relays, like network spam filters, intervened on the receiving side.

We told Email Battles readers to keep their powder dry.

Since then, Microsoft’s Sender-ID experiment, which acts on the SPF records in DNS, has been approved by standards authorities. SPF creator Meng Wong was unceremoniously dumped by the SPF Council in SPF elections. SPF complaints about Sender-ID were rejected by the The Internet Engineering Steering Group of the Internet Engineering Task Force (IETF), and appeals exhausted with the Internet Architecture Board. As if that’s not bad enough, AOL is rumored to be preparing to dump SPF… or not.

Andrew Newton presided over MARID, an earlier set of IETF proceedings that came to no conclusions. When Email Battles asked Newton what he thought about the current state of SPF, he responded, “I have to admit, I’ve quit paying attention to them. Without Meng doing all the PR and Wayne [Schlitt doing] all the technical work, what is left? IAB appeals does not a viable technology make.”

While Microsoft claims around 2 million domains have published DNS records usable by both SPF and Sender-ID, the figure represents just 1% - 3% of the registered domains. And that’s before deleting the really loose entries and known spammers.

That’s why Email Battles is changing our powder dry recommendation to forget about it, at least for now. You have better uses for your time.

As for the Babel of remaining (and competing) authentication methods… eWeek’s Larry Seltzer says the whole authentication effort has been a flop. Seltzers’s hoping against hope that Internet Explorer 7’s new anti-phishing system will make it all better… at least for those working through web browsers.

Our authentication advice? Keep your powder dry.

That advice has served you in good stead for three years. And it’ll probably work for quite awhile longer.