Messaging Anti-Abuse Working Group Evaluates SPF and Sender ID E-Mail Authentication Solutions

The Messaging Anti-Abuse Working Group (MAAWG), a group of communications and technology companies committed to solving spam, viruses and other forms of messaging abuse, today unveiled the results of more than six months of evaluation of Sender Policy Framework (SPF) and Sender ID e-mail authentication solutions. The results, published by MAAWG's Technical Committee, compare original SPF, current Sender ID and current "Classic SPF" e-mail specifications and provide technical advice -- including the risks -- for senders, forwarders and recipients who implement each specification.

"To stop spam, phishing and other forms of messaging abuse, we must first rid the Internet of sender forgery and the use of zombie networks and prevent criminals from hiding behind veils of anonymity," said Tripp Cox, co-chair of the MAAWG Technical Committee and chief technology officer for EarthLink. "Sender authentication proposals seek to create an environment of validity in e-mail. By evaluating individual authentication solutions objectively and analyzing their strengths and limitations, we can continue to improve their effectiveness."

He noted that members of MAAWG's Technical Committee began formally evaluating SPF and Sender ID in October 2004. The collective results, entitled, "Considerations for Implementers of SPF and/or Sender ID," can be found online.

"We believe more evaluation is needed on all authentication protocols, and we are committed to continuing these efforts to end messaging abuse and secure the deliverability of legitimate e-mail," Cox said.

The MAAWG Technical Committee plans to evaluate DomainKeys Identified Mail (DKIM) and Client SMTP Validation (CSV) authentication protocols later this year.

While MAAWG neither endorses nor discourages the use of SPF or Sender ID, the technical committee's findings highlight real-world risks to the delivery of legitimate e-mail when the specifications are implemented. The Internet Engineering Steering Group (IESG) classifies each proposal as an "experimental RFC" (Request For Comment), which is not part of the organization's standards track.
Key considerations published by the MAAWG Technical Committee include:

• Forwarded or re-sent mail will fail authentication without further changes to these services, such as re-writing return addresses and adding new headers.
• Publishers must ensure that their records permit mail from all possible points of origination.
• Receivers must be aware that authentication does not provide protection against forgery of the most common user-visible mail headers.
• Receivers must be aware that performing some checks in accordance with Sender ID and SPF Classic may yield inaccurate authentication results due to misinterpretation of the Sender's authorization.
• Operators providing mail submission services to roaming users (usually, ISPs) may need to forge or add certain headers in order to ensure successful authentication.

MAAWG is the first and only global organization of network operators and messaging service providers working together under voluntary, formal agreements to end messaging abuse. The MAAWG technical committee was chartered to evaluate standards, determine their suitability to address member concerns, provide guidance to members regarding implementation and provide feedback to standards groups on real-world implications.

MAAWG's next general meeting will be held in Montreal, Canada from Nov. 8 to Nov. 10, 2005.