S. Moonesamy is the Document Shepherd for this document. Pete Resnick
is the Responsible Area Director.
draft-ietf-spfbis-4408bis describes version 1 of the Sender Policy
Framework (SPF) protocol, whereby Administrative Management Domains
can explicitly authorize the hosts that are allowed to use its domain
names, and a receiving host can check such authorization.
The working group was chartered to produce a document as a Proposed
Standard defining the SPF protocol based upon RFC 4408 (Experimental).
Review and Consensus
This document is a product of the SPFBIS working group, and has been
through a large number of revisions including a complete reorganization
of the document. The working group dealt with a number of controversial
topics. The following outlines how those were resolved:
There was an intermediate conclusion about the topic of whether the SPF
protocol should use the SPF RRTYPE or the TXT resource record. It was
followed by an objection. After discussion of the topic at the IETF 83
SPFBIS WG session the conclusion reached was that the decision would be
not to publish RRTYPE 99 and and not to query RRTYPE 99. The WG
consensus about the RRTYPE can be described as particularly rough. The
topic of obsoleting the SPF RRTYPE generated a lot of controversy near
the end of the WGLC. There were a very high number of messages about
the topic on the SPFBIS mailing list and the DNSEXT mailing list as some
DNSEXT WG participants were not aware of RFC 6686.
The topic of whether the SPF protocol has to reject mail or not when
the result of the evaluation is "Fail" was actively discussed. It
was determined that it was a matter of local policy.
There was discussion about standardizing the "best guess" heuristics to
guess possible SPF policies for domains that do not publish an SPF record.
The WG consensus was not to standardize the heuristics.
The topic of mail forwarding and mailing lists in respect to the SPF
protocol was not too controversial in comparison with the other
controversies. The WG consensus was to have the document discuss about
the topic in a non-normative manner.
There was some controversy about whether the use of macros was a
security risk and whether to deprecate the PTR feature. There was a
formal appeal of the SPFBIS WG chair' interpretation of the charter,
specifically regarding the removal of "unused" features. The two
features in particular which drove the appeal were the PTR feature
and the local-part macro feature. These features were not removed
from the document given that the appeal was denied by the Responsible
There was significant discussion about whether to use the
"Received-SPF:" header field or whether to use the
"Authentication-Results" header field to record the results of a SPF
evaluation. The working group decided to add both header fields in
the document as they are in common use.
There was a suggestion to reorganize the document. It was argued that
the document had become somewhat bloated with documentation of nuance
and other text that has nothing to do with defining a protocol and
enabling interoperability. This led to a stalemate. Based on the
discussion during the SFPBIS WG session at IETF 85 the WG decided to
proceed with a reorganization of the document while ensuring that the
reorganization did not create any text changes apart from moving text
There is rough consensus within the SPFBIS WG to publish the document.
There are multiple existing implementations of the SPF protocol. The
document was reviewed by the SPFBIS working group. Dave Crocker,
Stuart Gathman, Murray Kucherawy, John Levine, Hector Santos,
Andrew Sullivan, Arthur Thisell, and Alessandro Vesely reviewed the
document. Simon Perreault helped to clarify the meaning of IPv4 mapped
IPv6 addresses. Murray Kucherawy deserves a special mention for his
The document was reviewed by Cyrus Daboo on behalf of the Applications
Area Directorate. Meral Shirazipour reviewed the document for Gen-ART
and Phillip Hallam-Baker performed the Security Directorate review.
I suggest further review of the document from a DNS perspective.
The author confirmed that any and all appropriate IPR disclosures
required for full conformance with the provisions of BCP 78 and
BCP 79 have already been filed.
The working group was informed about an IPR disclosure filed for
RFC 4408 ( https://datatracker.ietf.org/ipr/1698/ ) before the
WGLC. There wasn't any noteworthy discussion about the IPR
RFC 5598 is already in the DOWNREF registry. The US-ASCII reference
is already used in standards track documents.
IANA action is requested to update the Resource Record (RR) TYPEs
registry. The "Received-SPF:" header field is being added to the
Permanent Message Header Field Registry. IANA is requested to
update the SPF Modifier Registry. The document does not create
any IANA registries.
An automated check of the ABNF in Appendix A was performed.
Id-nits lists a non-RFC2606-compliant FQDN, six non-RFC5735-compliant
IPv4 addresses and one instance of a private range IPv4 address.
These warnings can be ignored. The warning about CFWS is incorrect.
The reference to RFC 2671 is intentional; the document also
references RFC 6891.
Some WG participants have mentioned that they may express extreme
discontent about the decision to obsolete the SPF RRTYPE during
the Last Call.