Conclusion of SenderID and SPF experiments
draft-moonesamy-senderid-spf-conclusion-00

Versions: 00                                                            
Individual Submission                                       S. Moonesamy
Internet-Draft                                         February 15, 2012
Obsoletes: 4405, 4406, 4407
(if approved)
Intended status: Informational
Expires: August 18, 2012


               Conclusion of SenderID and SPF experiments
               draft-moonesamy-senderid-spf-conclusion-00

Abstract

   This memo concludes the SMTP Service Extension for Indicating the
   Responsible Submitter of an E-Mail Message (RFC4405), Sender ID:
   Authenticating E-Mail (RFC4406), Purported Responsible Address in
   E-Mail Messages (RFC4407) and Sender Policy Framework (SPF) for
   Authorizing Use of Domains in E-Mail, Version 1 (RFC4408),
   experiments.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 18, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Moonesamy                Expires August 18, 2012                [Page 1]


Internet-Draft         SenderID and SPF conclusion         February 2012


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Strawman proposal . . . . . . . . . . . . . . . . . . . . . 3
   2.  Issues identified by the IESG . . . . . . . . . . . . . . . . . 3
   3.  Discussion  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     3.1.  DNS Records for SenderID and SPF  . . . . . . . . . . . . . 4
     3.2.  Resent header fields  . . . . . . . . . . . . . . . . . . . 4
     3.3.  Implementation of SUBMITTER SMTP service extension  . . . . 5
   4.  Outstanding issues  . . . . . . . . . . . . . . . . . . . . . . 5
   5.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 6
   9.  Informative References  . . . . . . . . . . . . . . . . . . . . 6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 6






























Moonesamy                Expires August 18, 2012                [Page 2]


Internet-Draft         SenderID and SPF conclusion         February 2012


1.  Introduction

   In April 2006, RFC 4405 [RFC4405], SMTP Service Extension for
   Indicating the Responsible Submitter of an E-Mail Message, RFC 4406
   [RFC4406], Sender ID: Authenticating E-Mail, RFC 4407 [RFC4407],
   Purported Responsible Address in E-Mail Messages and RFC 4408
   [RFC4408], Sender Policy Framework (SPF) were published
   simultaneously as Experimental RFCs.  There was no general technical
   consensus about how to reconcile the two approaches known as Sender
   ID [RFC4406] and SPF [RFC4408].

   This memo concludes the Sender ID and SPF experiments by obsoleting
   the following RFCs: the SMTP Service Extension for Indicating the
   Responsible Submitter of an E-Mail Message [RFC4405], the SMTP
   Service Extension for Indicating the Responsible Submitter of an
   E-Mail Message [RFC4406], and Purported Responsible Address in E-Mail
   Messages [RFC4407].

1.1.  Strawman proposal

   This memo offers a "strawman" proposal to conclude the SenderID and
   SPF experiments.


2.  Issues identified by the IESG

   The following issues were identified in IESG Note attached to the
   Experimental RFCs:

   o  The Sender ID experiment may use DNS records that may have been
      created for the current SPF experiment or earlier versions in this
      set of experiments.  Depending on the content of the record, this
      may mean that Sender-ID heuristics would be applied incorrectly to
      a message.  Depending on the actions associated by the recipient
      with those heuristics, the message may not be delivered or may be
      discarded on receipt.

   o  Participants in the Sender-ID experiment need to be aware that the
      way Resent-* header fields are used will result in failure to
      receive legitimate email when interacting with standards-compliant
      systems (specifically automatic forwarders which comply with the
      standards by not adding Resent-* headers, and systems which comply
      with RFC 822 but have not yet implemented RFC 2822 Resent-*
      semantics).

   In addition, the IESG advised participants publishing SPF experiment
   DNS records to follow section 3.4 of RFC 4406 and publish both v=spf1
   and spf2.0 records to avoid the conflict.



Moonesamy                Expires August 18, 2012                [Page 3]


Internet-Draft         SenderID and SPF conclusion         February 2012


3.  Discussion

3.1.  DNS Records for SenderID and SPF

   The Alexa top one million web hosts were used as a sample of domains.
   287000 of the domains in the sample published SPF records.

                          +------------+--------+
                          | Qualifiers |    No. |
                          +------------+--------+
                          |     +a     | 223030 |
                          |    +all    |   2117 |
                          |   +aspmx   |     25 |
                          |   +exists  |   1415 |
                          |     +ip    |    507 |
                          |    +ip4    | 331927 |
                          |    +ip6    |    833 |
                          |    +ipv4   |    640 |
                          |    +mail   |     44 |
                          |     +mx    | 215065 |
                          |     +p4    |     27 |
                          |    +ptr    |  36507 |
                          |    +spf    |     43 |
                          |     -a     |     33 |
                          |    -all    |  52810 |
                          |    -ip4    |     43 |
                          |    ?all    |  53887 |
                          |   ?exists  |     66 |
                          |     ~a     |     31 |
                          |     ~al    |     29 |
                          |    ~all    | 164812 |
                          +------------+--------+

                          Table 1: SPF qualifiers

   4613 of the domains published SPF (Type 99) DNS records.
   Approximately 800 of these DNS records do not match the "TXT"
   version. 578 domains in the sample published "v=spf2" records.

3.2.  Resent header fields

   According to RFC 5322 [RFC5322] (Section 3.6.6), Resent fields are
   used to identify a message as having been reintroduced into the
   transport system by a user.  The purpose of using Resent fields is to
   have the message appear to the final recipient as if it were sent
   directly by the original sender, with all of the original fields
   remaining the same.  RFC 5322 notes that reintroducing a message into
   the transport system and using Resent fields is a different operation



Moonesamy                Expires August 18, 2012                [Page 4]


Internet-Draft         SenderID and SPF conclusion         February 2012


   from "forwarding"

   There is currently no data to determine whether Resent-* headers
   fields are being added for participants in the SenderID experiment.

3.3.  Implementation of SUBMITTER SMTP service extension

   There has not been widespread implementation of the SUBMITTER SMTP
   service extension.


4.  Outstanding issues

   The SPFBIS Working Group was chartered in February 2012 to work on an
   update of RFC 4408 [RFC4408].  The following outstanding issues
   should be addressed:

   o  Should DNS RR of type SPF, code 99 be used in an update of RFC
      4408?

   o  Mail forwarding


5.  Conclusion

   The IESG invited the community to observe the success or failure of
   the SenderID and SPF approaches after the publication of the
   Experimental RFCs.  It is not possible to determine which approach
   was a success or failure as the requirements to assess that were not
   defined.  It is recommended that the experiments be concluded by
   obsoleting the SenderID Experimental RFCs.  It is the consensus of
   the IETF to produce a standards track document, based on RFC 4408
   [RFC4408], which defines a Sender Policy Framework (SPF) for
   Authorizing Use of Domains in E-Mail.

   Given that the SUBMITTER SMTP service extension is not widely
   implemented and deployed, its use is deprecated.


6.  Security Considerations

   Concluding the SenderID and SPF experiments will not cause loss of
   mail.


7.  IANA Considerations

   The following note for the SUBMITTER SMTP extension should be added



Moonesamy                Expires August 18, 2012                [Page 5]


Internet-Draft         SenderID and SPF conclusion         February 2012


   in the "SMTP Service Extensions" registry:

      The use of SUBMITTER is deprecated by RFC XXXX.


8.  Acknowledgements

   I would like to thank Philip Gladstone for his research on the usage
   of DNS Records for SenderID and SPF and for providing the data in
   Section 3.1.


9.  Informative References

   [RFC4405]  Allman, E. and H. Katz, "SMTP Service Extension for
              Indicating the Responsible Submitter of an E-Mail
              Message", RFC 4405, April 2006.

   [RFC4406]  Lyon, J. and M. Wong, "Sender ID: Authenticating E-Mail",
              RFC 4406, April 2006.

   [RFC4407]  Lyon, J., "Purported Responsible Address in E-Mail
              Messages", RFC 4407, April 2006.

   [RFC4408]  Wong, M. and W. Schlitt, "Sender Policy Framework (SPF)
              for Authorizing Use of Domains in E-Mail, Version 1",
              RFC 4408, April 2006.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              October 2008.


Author's Address

   S. Moonesamy
   76, Ylang Ylang Avenue
   Quatre Bornes
   Mauritius

   Email: sm+ietf@elandsys.com











Moonesamy                Expires August 18, 2012                [Page 6]