Two ways thread of thoughts
A)Why should I pay to regain unclogged email pipe
Should I consider being under the sword of “mafia protection racket”?
B)I accept and acknowledge that I have lost a battle but not the war
Therefore winning has a cost and I shall pay for it
My email address (due to my second job) is in many webs, press releases etc...
So since a long time I am “email-doomed”
I will pay with a smile although I need to study the topic very carefully

As per the business model I foresee a possible cost for the end user
Again it seems that I will gladly pay

Thanks for bringing it up
Henry

Further general comment:

Due to concerns about patents, the apache foundation has come out against certain components of it. The ietf has also come out against it. Without the ietf, there is no rfc. i think aol has also dropped implementation of the disputed components.(edited after following links in tedster's post)

The problem in my mind is not whether an end user needs to pay, it is that an absolutely clean server cannot do its job without having spf in place, and there seems to be a pool of private interests who are ready to ensure that this is only possible with paid certification. Even less appealing is that ownership of these private interests is not front and center. A careful reader would need to consider whether the business strategy is to get the usage of spf up to critical mass before mandating the aforementioned paid certification as the next requirement. You might call this SPF LITE and SPF ENTERPRISE. Who would then be satisfied with SPF LITE? Peer pressure would then make it almost impossible to operate with only SPF LITE.

Similarly, it is impossible to use https in a practical way with self signed certificates even though it is technically possible and fully achieves the goal of encryption. This is because it was extended with an indentification component, which has nothing to do with achieving secure encrytion. But it makes the certificate providers a ton of money.

You should not have to pay to use a protocol successfully.

As there is no rfc, I will not be implementing spf. To do so voluntarily would be to help the private interests get to critical mass. If a recipient has a problem with a lack of a spf dns record they will have to deal with their provider as they are asking for a non-standard extension.

I hope this helps anyone considering the long term effects of using spf on their servers. Please wait until both an rfc is in place and the matter of paid certification is dealt with. There are enough oligopolies already.

I added SPF records to the DNS records of all of the servers I administrate that might send e-mail to multiple recipients. At no time was any cost but my time involved. All the SPF record does is to say, "Any e-mail purporting to be sent from this domain should be sent by one of the following IP addresses or hostnames." So where is this "Pay to play" idea coming from? I'm not "wired-in" to this area of technology, so this is a sincere question.

I'm looking for references or citations that might lead me to believe there is an ulterior motive with SPF. I "subscribed" to SPF because I preferred it to the paid "registered sender" programs we were hearing about from MS and others, which were obvious ploys to cash in on the plague of spam. With a strongly-rumored October 1st deadline to put the sender policies in place, I did not want to have to deal with a bunch of bounces in two weeks.

Jim

With a strongly-rumored October 1st deadline to put the sender policies in place

By who? I'd be surprised if anyone started bouncing emails from domains that don't have any SPF records this early. Bouncing emails from servers that don't match their domain's SPF records is understandable.

One of the reasons TCP/IP etc have worked so well is that people tried and tested them and used them then wrote up what they did as an RFC. They didn't sit around in industry committees arguing over protocols that noone had actually implemented.

Similarly, it is impossible to use https in a practical way with self signed certificates even though it is technically possible and fully achieves the goal of encryption.

Without a trusted third party to vouch for the identity of the person you are talking to you are opening the door to (very practical) man-in-the-middle attacks - you simple won't know who you are talking securely with.

You should not have to pay to use a protocol successfully.

Can you point to anywhere in the SPF system where there is any possibility of this? Not Microsoft's SenderID, or Yahoo's DomainKeys, but in SPF? You seem to be arguing against the most open/free system proposed.

jdmorgan,

no problem, your participation in other threads is always a model to be emulated. the commercialisation links start at the following url on the pobox site, [spf.pobox.com ]. i presume that since this is a reply to moderators, and a link to a neutral site that this will be permitted.

give special attention to the services link in the left sidebar.

py9jamas,

first, see the material presented above,

and for:

Without a trusted third party to vouch for the identity of the person you are talking to you are opening the door to (very practical) man-in-the-middle attacks - you simple won't know who you are talking securely with.

esoteric attacks notwithstanding, i stand by my earlier statement:

Similarly, it is impossible to use https in a practical way with self signed certificates even though it is technically possible and fully achieves the goal of encryption.

it is the introduction of the secondary element of identification which makes self signed certificates unacceptable to most users, and it is that element where the certificate authorities make their money. therefore, you can use the protocol at no cost, but no one wants to talk to you.

the same thing can happen with spf once the spin is put out that spf without third party certification is not real spf. it would be reasonable to presume that the proposed certification services will not be free. certainly, there has been no binding committment that these services will be free. (see earlier reference to spf lite and spf enterprise)

third party certification of identity, trust and compliance bears more than a passing resemblance to what we already see in the ssl certificate business. and it is a big business. think thawte, who bootstrapped themselves into the cert business, and then sold out to the big boys anyways. if anyone can name a source for free third party certs, i am sure that there are plenty of readers here that would be interested. if you still doubt that issuing ssl certs is big business, check out what it costs to join the club by way of being certified as a downstream issuer. i'm sure it's no cheaper than the last time i checked.

anyone promoting spf today, is promoting the requirement for third party certification tomorrow. that would be one certificate for *every* domain you use. even if you only send the occasional email from that domain.

if i were an spf insider, i would promote the heck out of it because it tie the system to me in the future. then, i could, in that lovely ecommerce word: "monetize" my earlier contribution. followed by an ipo of course.

Did you know that the same thread (close enough) goes on here:
[webmasterworld.com...]

the commercialisation links start at the following url on the pobox site, [spf.pobox.com...]
So they offer consultancy services to make sure your configuration is correct?

give special attention to the services link in the left sidebar.

They link to other people's services for bulk-emailing? Such as services which have a bond arrangement with Hotmail?

esoteric attacks notwithstanding

Man in the middle attacks the trusted third party protects against are trivial. Think emailing a registrar and convincing them to point www.ebay.de at your server. Think DNS cache poisoning. Think shared proxy caches. Think phising scams.

without third party certification is not real spf

The certification is basically a consultancy service to help companies have confidence they have their systems are configured correctly.

jdMorgan says:

So where is this "Pay to play" idea coming from? I'm not "wired-in" to this area of technology, so this is a sincere question.

I'm no expert on the technology either and the reason for discussion. Hopefully more minds will help clarify things.

plumsauce has already linked the resource but I'll tell you where I did some digging that shows how those links came to existence in the first place. At the top right of the SPF pages you will find a navigational link to the FAQ [spf.pobox.com] which is where I found the Aspen business model link in my first post, which is the first place you will notice the *accreditation services* that plumsauce describes. Well, the link I offered is in a pretty picture model that is quick and easy to read and understand. However, the textual discussion offers much more. I have also been reading through the discussions [archives.listbox.com] and that is where I first read about the notion of this model. It just doesn't smell right to me.

henry0
Although that thread is related in that it discusses a separate portion (Sender ID) of possible solutions to the same issue, I specifically wanted to address the business model and possible costs associated.

everyone reading this thread should followup and read the posted resources for themselves with a critical mind. fanciful thinking and a dependence on the goodwill of others will not save you in the end if spf gains momentum. coopster has kindly summarised it this way:

It just doesn't smell right to me.

and that's the point that i have been trying to make in a much more long winded fashion. readers, please do your homework before buying into spf. at the very least, there should be a binding perpetual commitment on the part of the promoters that there will be no fees or restrictions whatsoever associated with the implementation, accreditation, certification of spf. this is already the reason that apache.org and aol.com have rejected implementing the combined proposal.

py9jamas,

you just made my point, certs cost money, so will spf certification. if you doubt this, please actually follow and read all the links out of the certification page.

i am predicting that spf certs will follow the path of ssl certs. history is about to repeat itself, and spf adopters will get to pay the freight. eventually, if you want to be considered as using an "acceptable" spf configuration, you will need to fork out an annual fee.

py9jmas,

Man in the middle attacks the trusted third party protects against are trivial. Think emailing a registrar and convincing them to point www.ebay.de at your server. Think DNS cache poisoning. Think shared proxy caches. Think phising scams.

please use an example of an attack that actually employs the technology that was discussed. none of the examples you used have anything to do with encryption. my comments were specifically directed at ssl encryption, nothing else.

i repeat, it is the addition of the "identity verification" element that the cert authorities make their money on. not the successful use of ssl itself.

I added SPF records to the DNS records of all of the servers I administrate that might send e-mail to multiple recipients. At no time was any cost but my time involved.

I'm with jdMorgan on this one. There was about 20-30 minutes of information review in regards to SPF and then about 3-5 minutes per domain to configure everything.

I don't see where the paranoia is warranted. I've reviewed the SPF information and there seems to be a long list of supporting organizations.

"From the perspective of what SPF does, which is provide authentication to stop domain spoofing and phishing attacks, it's fantastic," he says. "To leverage it alone, as a spam solution, is not why it was created."
Scott Chasin - MX Logic

an attack that actually employs the technology that was discussed

www.ebay.de was updated to point to someone else a couple of weeks ago.
[theregister.co.uk...]
LinuxExposed.com has this to say about DNS cache poisoning:

Cache poisoning was, and still is, popular with IRC hackers, and although daemons vulnerable to common cache poisoning have decreased, many servers are still vulnerable and cache poisoning is still a possible exploit.

Phishing scams try to impersonate genuine banks, etc. SSL certs makes it very difficult to fool people when the browsers throw warnings about unsigned/invalid certificates.

my comments were specifically directed at ssl encryption, nothing else.

Encryption without authentication is pointless. What good is encrypting the communications when divulging you credit card details when you're talking to the attacking, not your bank you thought you were talking to?

I don't really intend to "stake out a side" in an argument here. What I was looking for was an overview article discussing this from an outside, but informed view. The reason I ask is that I'm a member of an small non-profit organization, and I run the Web site. We occasionally send "news" e-mail to our opt-in members. The organization is small enough to be low-budget, but the e-mail list is large enough to be considered "bulk" e-mail.

So, the position I'm in is that if I don't install an SPF record in our DNS, then there's the possibility that those e-mails will be blocked. And if I do install the SPF record, then there's the possibility that I'll help promote a service that will quickly move to a certification-required model that a small non-profit organization like ours cannot afford. My main concern is that since this is an NPO, I don't get paid, and therefore, handling bounces takes time I can't afford, either.

So, I'm looking for informed third-party articles about this subject primarily from the ISP viewpoint; What are AOL and MSN and some of the other bigger mail-handling ISP-type companies going to do with it? I read (here on WebmasterWorld, I believe) that AOL was going to start using SPF on October first, and reacted accordingly.

Jim

>>I don't really intend to "stake out a side" in an argument here.

Thank you for that, and all that participate in this discussion.

Let's keep the discussion exactly that, a discussion. An intelligent, informed discussion with substantive evidence. Also, paranoia is not a word I would use to describe the discussion here, not at all. There is no tendency toward excessive distrust nor irrational suspicion of the founders and developers regarding SPF. I don't know of a better word than paranoia, but a more precise definition here would be something along the lines of speculative direction based on factual evidence. In my understanding they (SPF) have been very clear when it comes to future development and direction. Please take the time to read the linked materials. Yes, it does take time. I've spent roughly 30 hours or better so far absorbing the discussions and direction and I feel I've only seen the tip of the iceberg.

I didn't start this thread to excite people or throw any fear, uncertainty or doubt toward a reasonable solution to a real issue. The collective audience of minds here at WebmasterWorld should be able to analyze and discuss the materials presented and deduct logical conclusions. I am opposed to any fee-based support structure or 3rd party accreditation. To me, that is not a reasonable solution. It seems so simple to me to have a standard, adopt it, and allow the site administrator to continue managing email control via an additional DNS record. Clean and simple!

jd, I have not yet found any informed third-party articles about this subject primarily from the ISP viewpoint. AOL [postmaster.aol.com] doesn't offer much on their home page and I really can't find much else so far. I'm not sure if we will yet as there is so much indecision [news.com.com].

I have been on the IETF and SPF mail-lists for some time now, and can assure everyone that SPF is free.

There is an attempt going on at the moment, by Microsoft, to use the spf records inappropriately, in their own system called Sender-ID, but that is up to them. The records are published and people are free to do what they want with the information.

Meantime, back at the ranch, the SPF community is developing the solutions to deal with the known issues that exist in the first version of SPF. As with any new protocol, there are always early hiccups. Having said that, SPF version1 can deal with a huge percentage of e-mail transmissions now. The main issues are about mail forwarding services and mail-lists.

I suggest that we all hang in here and allow SPF work to continue. Publishing the records and using the existing milters as part of your spamassassin or other spam control system is the best way for now. There are many tools available for creating records, validating, etc, etc. They are all on the spfhelp website. It's new and not google-able yet - so use your imagination ;-)

There is also a query form where you can get spf questions answered by one of the leading coders.

Don't forget - SPF does *not* stop spam - it tells you if an email coming from "anyone@somedomain.com" actually came from a place authorised by the owner of "somedomain.com". Having said that - with something like a million records now published the results are sometimes spectacular - some users claim SPF stopped 80% of unwanted mail.

Also - SPF does not stop phishing. That's the email pretending to be someone it isn't - maybe your bank - for the purposes of getting your personal details. Phishing is a serious problem for the financial world, and SPF is working on the phishing problem as well.

The fact that spammers are using spf means that they are worried, and they are *much* more easily traced. :-)

Please use SPF - and tell your friends :-)

Slainte,
JohnP

[edited by: rogerd at 2:34 am (utc) on Oct. 24, 2004]
[edit reason] No URLs, please... [/edit]