Controversy
In 2004, Steven M. Bellovin wrote an e-mail that discusses his concerns with SPF. Some of these include:
- SPF originally used TXT records in DNS, which are supposed to be free-form text with no semantics attached. SPF proponents readily acknowledge that it would be better to have records specifically designated for SPF, but this choice was made to enable rapid implementation of SPF. In July 2005, IANA assigned the Resource Record type 99 to SPF. During the transition, SPF publishers may publish both record types and SPF checkers may check for either type. It may likely take many years before all DNS software fully supports this new record.
- As of the time he wrote his message, there was no consensus that this is the right way to go. Some major e-mail service providers have not bought into this scheme. Unless and until they do, it does not help much, either for their customers (who make up a substantial proportion of the user population) or for everyone else (since their addresses could be forged). It is worth noting that since this concern was raised, Google Mail and AOL, among others, have embraced SPF.
- Bellovin's strongest concerns involve the underlying assumptions of SPF (SPF's "semantic model"). When using SPF, the SPF DNS records determine how a sender is allowed to send. That means that the owner of the domain will control how senders are allowed to send. People who use "portable" e-mail addresses (such as e-mail addresses created by professional organizations) will be required to use the domain owner's SMTP sender, which may not currently even exist. Organizations providing these "portable" addresses could, however, create their own mail submission agents (MSAs) (RFC 6409) or offer VPNs or simply not publish an SPF record. Besides, SPF only ties the SMTP Return-Path to permitted MSAs; users are still free to use their RFC 5322 addresses elsewhere.
There are other concerns about the impact of widespread use of SPF, notably the impact on various legitimate forms of email spoofing, such as forwarding services, SMTP use by people with multiple identities, etc. (For example, a person who uses their home ISP's SMTP servers to send mail with their work email as the address.) On the other hand, many of these uses may be "expected" yet not "legitimate". To a certain extent this is more a question of ownership and expectations than a technical question.
Read more about this topic: Sender Policy Framework
Famous quotes containing the word controversy:
“And therefore, as when there is a controversy in an account, the parties must by their own accord, set up for right Reason, the Reason of some Arbitrator, or Judge, to whose sentence, they will both stand, or their controversy must either come to blows, or be undecided, for want of a right Reason constituted by Nature; so is it also in all debates of what kind soever.”
—Thomas Hobbes (1579–1688)
“Ours was a highly activist administration, with a lot of controversy involved ... but I’m not sure that it would be inconsistent with my own political nature to do it differently if I had it to do all over again.”
—Jimmy Carter (James Earl Carter, Jr.)