Individual Submission S. Moonesamy Internet-Draft February 15, 2012 Obsoletes: 4405, 4406, 4407 (if approved) Intended status: Informational Expires: August 18, 2012 Conclusion of SenderID and SPF experiments draft-moonesamy-senderid-spf-conclusion-00 Abstract This memo concludes the SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message (RFC4405), Sender ID: Authenticating E-Mail (RFC4406), Purported Responsible Address in E-Mail Messages (RFC4407) and Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 (RFC4408), experiments. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 18, 2012. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Moonesamy Expires August 18, 2012 [Page 1] Internet-Draft SenderID and SPF conclusion February 2012 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Strawman proposal . . . . . . . . . . . . . . . . . . . . . 3 2. Issues identified by the IESG . . . . . . . . . . . . . . . . . 3 3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. DNS Records for SenderID and SPF . . . . . . . . . . . . . 4 3.2. Resent header fields . . . . . . . . . . . . . . . . . . . 4 3.3. Implementation of SUBMITTER SMTP service extension . . . . 5 4. Outstanding issues . . . . . . . . . . . . . . . . . . . . . . 5 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 9. Informative References . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 Moonesamy Expires August 18, 2012 [Page 2] Internet-Draft SenderID and SPF conclusion February 2012 1. Introduction In April 2006, RFC 4405 [RFC4405], SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message, RFC 4406 [RFC4406], Sender ID: Authenticating E-Mail, RFC 4407 [RFC4407], Purported Responsible Address in E-Mail Messages and RFC 4408 [RFC4408], Sender Policy Framework (SPF) were published simultaneously as Experimental RFCs. There was no general technical consensus about how to reconcile the two approaches known as Sender ID [RFC4406] and SPF [RFC4408]. This memo concludes the Sender ID and SPF experiments by obsoleting the following RFCs: the SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message [RFC4405], the SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message [RFC4406], and Purported Responsible Address in E-Mail Messages [RFC4407]. 1.1. Strawman proposal This memo offers a "strawman" proposal to conclude the SenderID and SPF experiments. 2. Issues identified by the IESG The following issues were identified in IESG Note attached to the Experimental RFCs: o The Sender ID experiment may use DNS records that may have been created for the current SPF experiment or earlier versions in this set of experiments. Depending on the content of the record, this may mean that Sender-ID heuristics would be applied incorrectly to a message. Depending on the actions associated by the recipient with those heuristics, the message may not be delivered or may be discarded on receipt. o Participants in the Sender-ID experiment need to be aware that the way Resent-* header fields are used will result in failure to receive legitimate email when interacting with standards-compliant systems (specifically automatic forwarders which comply with the standards by not adding Resent-* headers, and systems which comply with RFC 822 but have not yet implemented RFC 2822 Resent-* semantics). In addition, the IESG advised participants publishing SPF experiment DNS records to follow section 3.4 of RFC 4406 and publish both v=spf1 and spf2.0 records to avoid the conflict. Moonesamy Expires August 18, 2012 [Page 3] Internet-Draft SenderID and SPF conclusion February 2012 3. Discussion 3.1. DNS Records for SenderID and SPF The Alexa top one million web hosts were used as a sample of domains. 287000 of the domains in the sample published SPF records. +------------+--------+ | Qualifiers | No. | +------------+--------+ | +a | 223030 | | +all | 2117 | | +aspmx | 25 | | +exists | 1415 | | +ip | 507 | | +ip4 | 331927 | | +ip6 | 833 | | +ipv4 | 640 | | +mail | 44 | | +mx | 215065 | | +p4 | 27 | | +ptr | 36507 | | +spf | 43 | | -a | 33 | | -all | 52810 | | -ip4 | 43 | | ?all | 53887 | | ?exists | 66 | | ~a | 31 | | ~al | 29 | | ~all | 164812 | +------------+--------+ Table 1: SPF qualifiers 4613 of the domains published SPF (Type 99) DNS records. Approximately 800 of these DNS records do not match the "TXT" version. 578 domains in the sample published "v=spf2" records. 3.2. Resent header fields According to RFC 5322 [RFC5322] (Section 3.6.6), Resent fields are used to identify a message as having been reintroduced into the transport system by a user. The purpose of using Resent fields is to have the message appear to the final recipient as if it were sent directly by the original sender, with all of the original fields remaining the same. RFC 5322 notes that reintroducing a message into the transport system and using Resent fields is a different operation Moonesamy Expires August 18, 2012 [Page 4] Internet-Draft SenderID and SPF conclusion February 2012 from "forwarding" There is currently no data to determine whether Resent-* headers fields are being added for participants in the SenderID experiment. 3.3. Implementation of SUBMITTER SMTP service extension There has not been widespread implementation of the SUBMITTER SMTP service extension. 4. Outstanding issues The SPFBIS Working Group was chartered in February 2012 to work on an update of RFC 4408 [RFC4408]. The following outstanding issues should be addressed: o Should DNS RR of type SPF, code 99 be used in an update of RFC 4408? o Mail forwarding 5. Conclusion The IESG invited the community to observe the success or failure of the SenderID and SPF approaches after the publication of the Experimental RFCs. It is not possible to determine which approach was a success or failure as the requirements to assess that were not defined. It is recommended that the experiments be concluded by obsoleting the SenderID Experimental RFCs. It is the consensus of the IETF to produce a standards track document, based on RFC 4408 [RFC4408], which defines a Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail. Given that the SUBMITTER SMTP service extension is not widely implemented and deployed, its use is deprecated. 6. Security Considerations Concluding the SenderID and SPF experiments will not cause loss of mail. 7. IANA Considerations The following note for the SUBMITTER SMTP extension should be added Moonesamy Expires August 18, 2012 [Page 5] Internet-Draft SenderID and SPF conclusion February 2012 in the "SMTP Service Extensions" registry: The use of SUBMITTER is deprecated by RFC XXXX. 8. Acknowledgements I would like to thank Philip Gladstone for his research on the usage of DNS Records for SenderID and SPF and for providing the data in Section 3.1. 9. Informative References [RFC4405] Allman, E. and H. Katz, "SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message", RFC 4405, April 2006. [RFC4406] Lyon, J. and M. Wong, "Sender ID: Authenticating E-Mail", RFC 4406, April 2006. [RFC4407] Lyon, J., "Purported Responsible Address in E-Mail Messages", RFC 4407, April 2006. [RFC4408] Wong, M. and W. Schlitt, "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1", RFC 4408, April 2006. [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, October 2008. Author's Address S. Moonesamy 76, Ylang Ylang Avenue Quatre Bornes Mauritius Email: sm+ietf@elandsys.com Moonesamy Expires August 18, 2012 [Page 6]