BLOG

Fun with opinions

Over the last few weeks I’ve seen a couple people get on mailing lists and make pronouncements about email. It’s great to have opinions and it’s great to share them. But they’re always a little bit right… and a little bit wrong.

SPF is dead!

This came from the new ESP of an experienced mailer. They were recommending not publishing SPF records because it was “an old technology.” Some discussion ensued and a wise person pointed out that the DNS record type of SPF was dead. See, when folks first started playing with SPF, the RFC said use a new DNS record type called “SPF.” This was a bit of a fail (it’s possible I referred to it as a “turd no one could sufficiently polish” during the discussion). The IETF described it thusly:

In 2003, when SPF was first being developed, the requirements for assignment of a new DNS RR type were considerably more stringent than they are now. Additionally, support for easy deployment of new DNS RR types was not widely deployed in DNS servers and provisioning systems. As a result, developers of SPF found it easier and more practical to use the TXT RR type for SPF records.

In its review of [RFC4408], the SPFbis working group concluded that its dual RR type transition model was fundamentally flawed since it contained no common RR type that implementers were required to serve and required to check. Many alternatives were considered to resolve this issue, but ultimately the working group concluded that significant migration to the SPF RR type in the foreseeable future was very unlikely and that the best solution for resolving this interoperability issue was to drop support for the SPF RR type from SPF version 1. See Appendix A of [RFC6686] for further information.

The circumstances surrounding SPF’s initial deployment a decade ago are unique. If a future update to SPF were developed that did not reuse existing SPF records, it could use the SPF RR type. SPF’s use of the TXT RR type for structured data should in no way be taken as precedent for future protocol designers. Further discussion of design considerations when using new DNS RR types can be found in
[RFC5507]. RFC7208

A little bit right… the SPF record is dead.
A little bit wrong… SPF as a protocol isn’t dead.

The good news is that the experienced mailer is on a dedicated IP and using their own domain in the return path, so they don’t need their ESP to be involved, they can publish a SPF record themselves.

DMARC doesn’t work! SPF is the way forward.

A comment on this blog that showed up earlier this week. Yes, DMARC irreparably breaks some of the ways many of us use email, including mailing lists and forwarders. It hurts a lot of small businesses and local organizations who may have freemail addresses for newsletters. It breaks things. It break things in ways that are not healthy for the email ecosystem. I’ve said this repeatedly in fora and at conferences. It’s also going forward whether I like it or not. To be fair, there are folks actively working on ways to minimize and mitigate the breakage, so this might be temporary. Or it might be yet another nail in the email coffin. (Cue the people who now hate me because I said email was dead.)

A little bit right… DMARC does break things. But that’s it working as designed and those of us who think that consumer ISPs shouldn’t publish p=reject are in the minority here.

A little bit wrong… SPF is one technology but it isn’t a magic one. It is, arguably, the oldest authentication scheme and the fact that we have two others piled on top of it says it wasn’t that effective.

Opinions! Everyone has them!

Yes, we all have opinions. And they’re a little bit right and a little bit wrong.

 

1 comment

  1. Mathieu says

    “Opinions! Everyone has them!”

    And that’s why we love event like the one about to take place in SF in two weeks: to talk to and get their take from the people actually working on those standards. Hey, you never know, sometimes we can even provide them with some feedback of our own or help them test some new ideas or concepts. Honestly, I’ve been in several professional environnements, but that’s one of the rare ones were you can find this kind of involvment from so many actors.

Comment:

Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


Archives