Sender ID is an historic anti-spoofing proposal from the former MARID IETF working group that tried to join Sender Policy Framework (SPF) and Caller ID. Sender ID is defined primarily in Experimental <nowiki>RFC 4406</nowiki>, but there are additional parts in <nowiki>RFC 4405</nowiki>, <nowiki>RFC 4407</nowiki> and <nowiki>RFC 4408</nowiki>.

Principles of operation

Sender ID is heavily based on SPF, with only a few additions.

Sender ID tries to improve on SPF: SPF does not verify the header addresses (of which there can be more than one) that indicate the claimed sending party. One of these header addresses is typically displayed to the user and may be used to reply to emails. These header addresses can be different from the address that SPF tries to verify; that is, SPF verifies only the "MAIL FROM" address, also called the envelope sender.

However, there are many similar email header fields that all contain sending party information; therefore Sender ID defines in <nowiki>RFC 4407</nowiki>

Standardization issues

The pra has the disadvantage that forwarders and mailing lists can only support it by modifying the mail header, e.g. by inserting a <code>Sender</code> or <code>Resent-Sender</code>. The latter violates <nowiki>RFC 2822</nowiki> and can be incompatible with <nowiki>RFC 822</nowiki>.

With SPF, mailing lists continue to work as is. Forwarders wishing to support SPF only need to modify SMTP MAIL FROM and RCPT TO, not the mail. This concept is not new: with the original <nowiki>RFC 821</nowiki> SMTP forwarders always added their host name to the reverse path in the MAIL FROM.

The most problematic point in the core Sender ID specification is its recommendation to interpret <code>v=spf1</code> policies like <code>spf2.0/mfrom,pra</code> instead of <code>spf2.0/mfrom</code>. This was never intended by all published SPF drafts since 2003, and for an unknown large number of <code>v=spf1</code> policies an evaluation for pra could cause bogus results for many cases where pra and mfrom are different. This problem was the basis of an appeal to the Internet Architecture Board (IAB). In response to another prior appeal the IESG already noted that Sender ID cannot advance on the IETF standards track without addressing the incompatibility with a MUST in <nowiki>RFC 2822</nowiki>. on key parts of Sender ID and used to license those patents under terms that were not compatible with the GNU General Public License and which were considered problematic for free software implementations in general. On October 23, 2006, Microsoft placed those patents under the Open Specification Promise, which is compatible with some free and open source licenses, but not with the most recent version of the GPL license, version 3.x.

See also

  • :Category:Email authentication
  • E-mail authentication overview
  • MARID (IETF WG in 2004)
  • DKIM
  • DomainKeys

References

  • ASF Position Regarding Sender ID statement from the Apache Software Foundation
  • IAB appeal about Sender ID's reuse of <code>v=spf1</code> for PRA from the SPF project (2006).
  • Debian project unable to deploy Sender ID statement by the Debian project
  • IETF Decides on SPF / Sender-ID issue coverage and discussion on slashdot
  • coverage and discussion on groklaw
  • MARID Co-Chairs Clarify Consensus Statement
  • MARID to close mailing list thread.
  • Sender ID: A Tale of Open Standards and Corporate Greed?
  • "SPF: SPF vs Sender ID"
  • "Sender Id Types in Different Countries"
  • "Sender Id"
  • Sender IDs, SMS templates