SPF, SIDF, DomainKey: what's in a standard?

Posted Mar 8th 2005 8:49PM by Sarah Gilbert

As the makers of beta format videotapes well know, standards are everything. And in the increasingly difficult battle against spammers, it's become an all-out standards war. Security experts and email companies are proposing several different email address verification standards. There's Sender Policy Framework (SPF), "an SMTP extension that rejects messages whose senders' "From" field domain names don't match a list of authorized IP addresses for that domain." Then there is Sender ID Framework (SIDF), which combines SPF with Microsoft's former Caller ID for E-mail proposal. The problem: to work, everyone has to register with the public SPF database. Only a handful of banks and other phish-worthy companies have registered.

And then there's Yahoo!'s DomainKey. It uses public key encryption technology - something that's been largely rejected as a solution - and Yahoo! won't give up the fight to squash SPF and SIDF in favor of DomainKey.

Clearly, there won't be a good solution unless everyone can agree on one - and use it. Will we be destined for many more years of "Whac-a-Mole" or will a VHS-style winner emerge?

Reader Comments

(Page 1)

1. SPF nor Sender ID require a registration in a public database. And Yahoo's Domain Keys has not been rejected. In fact, it is being combined with Cisco's IIM and will likely be a work item of the IETF by this summer.

Posted at 4:51AM on Dec 19th 2005 by grumpy

2. Gmail, EarthLink, Lycos, Yahoo, SBC, British Telecom, and Rogers Cable are using DomainKeys, but it has been largely rejected?

BTW, the 'public database' registration you talk about for Sender ID is also required to have a domain, have a website, and have email. It also applies to SPF. In other words, the registration aspect of it is not a problem.

Posted at 4:51AM on Dec 19th 2005 by Miles

3. What public SPF database?

SPF leverages the DNS system. You set up an extra DNS record just like you would set up a record indicating your web server's address, or where someone should send email addressed to you.

There is a voluntary list of domains using SPF, but it's just a PR tool and has nothing to do with the system's actual workings.

And while it's frustratingly true that very few phish-worthy domains have set up SPF records, quite a few domains have -- including AOL, Earthlink, Gmail, Symantec, Ebay/Paypal, and a number of other high-profile sites: http://spftools.infinitepenguins.net/earlyadopters.php

Posted at 4:51AM on Dec 19th 2005 by Kelson

4. At Email Battles, we've covered the SPF/SIDF/DKIM follies, including the latest dust-up, since early in the MARID debates. We have consistently advised our readers to wait till the dust settles.

The dust clearly hasn't settled.

Posted at 4:51AM on Dec 19th 2005 by Brian Gillette

Hyundai Genesis obtiene 5 estrellas en las pruebas de impacto de la NHTSA ¿Qué pasará finalmente con el Viper? Ferraris de leyenda: el Ferrari 158 F1
France's Oyster Industry In Trouble Naomi Campbell's Beau Buys Her $18.5 Million Apt. in Brazil Burberry Metallic Leather Shoulder Bag, Handbag of the Day	Is market rising on Obama presidency? Forbes expert sees fast growth for Altera (ALTR) A six-pack of technology favorites
Kids, don't try this at home Chocolate mousse is a perfect summer dessert Holy awesome! Key Lime dream ice cream!	Photo of the Day (08/28/08) Indian woman gives birth on Australia-bound flight The Onion launches Decider cityguides