Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Sender ID
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Failed anti-spoofing proposal}} {{Primary sources |date=May 2024}} '''Sender ID''' is an historic<ref>{{cite web| url=https://datatracker.ietf.org/doc/status-change-change-sender-id-to-historic/| title=Moving RFC 4405, RFC 4406, RFC 4407 (Sender-ID) to Historic| author=Alexey Melnikov| date=7 February 2020| website=[[Internet Engineering Task Force|IETF]]}}</ref> anti-[[E-mail spoofing|spoofing]] proposal from the former [[MARID]] [[IETF]] working group that tried to join [[Sender Policy Framework]] (SPF) and Caller ID. Sender ID is defined primarily in Experimental <nowiki>RFC 4406</nowiki>,<ref>{{Cite IETF|last1=Wong|first1=Meng Weng|last2=Lyon|first2=Jim|title=Sender ID: Authenticating E-Mail|RFC=4406}}</ref> but there are additional parts in <nowiki>RFC 4405</nowiki>,<ref>{{Cite IETF|last1=Katz|first1=Harry|last2=Allman|first2=Eric|title=SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message|rfc=4405}}</ref> <nowiki>RFC 4407</nowiki><ref name=":0">{{Cite IETF|last=Lyon|first=Jim|title=Purported Responsible Address in E-Mail Messages|rfc=4407}}</ref> and <nowiki>RFC 4408</nowiki>.<ref>{{Cite IETF|last1=Schlitt|first1=Wayne|last2=Wong|first2=Meng Weng|title=Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1|rfc=4408}}</ref> == Principles of operation == Sender ID is heavily based on [[Sender Policy Framework|SPF]], with only a few additions. Sender ID tries to improve on SPF: SPF does not verify the [[Email#Message header|header]] addresses (of which there can be more than one) that indicate the claimed sending party. One of these header addresses is typically displayed to the user and may be used to reply to emails. These header addresses can be different from the address that SPF tries to verify; that is, SPF verifies only the "MAIL FROM" address, also called the envelope sender. However, there are many similar email header fields that all contain sending party information; therefore Sender ID defines in <nowiki>RFC 4407</nowiki><ref name=":0" /> a Purported Responsible Address (PRA) as well as a set of heuristic rules to establish this address from the many typical headers in an email. Syntactically, Sender ID is almost identical to SPF except that <code>v=spf1</code> is replaced with one of: * <code>spf2.0/mfrom</code>{{Snd}}meaning to verify the envelope sender address just like SPF. * <code>spf2.0/mfrom,pra</code> or <code>spf2.0/pra,mfrom</code>{{Snd}}meaning to verify both the envelope sender and the PRA. * <code>spf2.0/pra</code>{{Snd}}meaning to verify only the PRA. The only other syntactical difference is that Sender ID offers the feature of ''positional'' modifiers not supported in SPF. In practice, so far no ''positional'' modifier has been specified in any Sender ID implementation. In practice, the ''pra'' scheme usually only offers protection when the email is legitimate, while offering no real protection in the case of spam or phishing. The ''pra'' for most legitimate email will be either the familiar From: header field, or, in the case of mailing lists, the Sender: header field. In the case of phishing or spam, however, the ''pra'' may be based on Resent-* header fields that are often not displayed to the user. To be an effective anti-phishing tool, the MUA (Mail User Agent or Mail Client) will need to be modified to display either the ''pra'' for Sender ID, or the Return-Path: header field for SPF. The ''pra'' tries to counter the problem of ''phishing'', while SPF or ''mfrom'' tries to counter the problem of spam bounces and other auto-replies to forged Return-Paths. Two different problems with two different proposed solutions. However, Sender-ID and SPF yield the same result in approximately 80% of the cases, according to a billion message analysis.<ref name=rfc6686>{{cite IETF |title=Resolution of the Sender Policy Framework (SPF) and Sender ID Experiments |rfc=6686 |author=[[Murray Kucherawy]] |year=2012 |publisher=[[Internet Engineering Task Force|IETF]]}}</ref> ==Standardization issues== The ''pra'' has the disadvantage that forwarders and mailing lists can only support it by modifying the mail header, e.g. by inserting a <code>Sender</code> or <code>Resent-Sender</code>. The latter violates <nowiki>RFC 2822</nowiki><ref name="rfc2822">{{Cite IETF|last=Resnick|first=Peter W.|title=Internet Message Format|rfc=2822}}</ref> and can be incompatible with <nowiki>RFC 822</nowiki>.<ref>{{Cite IETF|last=Crocker|first=D.|title=STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES|rfc=822}}</ref> With SPF, mailing lists continue to work as is. Forwarders wishing to support SPF only need to modify SMTP MAIL FROM and RCPT TO, not the mail. This concept is not new: with the original <nowiki>RFC 821</nowiki><ref>{{Cite IETF|last=Postel|first=J.|title=Simple Mail Transfer Protocol|rfc=821}}</ref> SMTP forwarders always added their host name to the reverse path in the MAIL FROM. The most problematic point{{According to whom|date=March 2021}} in the core Sender ID specification is its recommendation to interpret <code>v=spf1</code> policies like <code>spf2.0/mfrom,pra</code> instead of <code>spf2.0/mfrom</code>. This was never intended by all published SPF drafts since 2003, and for an unknown large number of <code>v=spf1</code> policies an evaluation for ''pra'' could cause bogus results for many cases where ''pra'' and ''mfrom'' are different. This problem was the basis of an appeal to the [[Internet Architecture Board|Internet Architecture Board (IAB)]]. In response to another prior appeal the [[IESG]] already noted that Sender ID cannot advance on the [[IETF]] standards track without addressing the incompatibility with a MUST in <nowiki>RFC 2822</nowiki>.<ref name="rfc2822" /> Various surveys performed in 2012, when SPF turned from experimental to proposed standard, showed that fewer than 3% of mail domains published specific requests for using the ''pra'', compared to some 40~50% of mail domains using SPF.<ref name=rfc6686/> == Patents == The Sender ID proposal was the subject of controversy regarding [[licensing]] issues: [[Microsoft]] holds [[patent]]s<ref>{{cite mailing list |url=http://www.imc.org/ietf-mxcomp/mail-archive/msg04844.html |title=FW: Microsoft's Updated Statement about IPR Claimed in <draft-ietf-marid-core-03.txt> and <draft-ietf-marid-pra-00.txt> in Combination |mailing-list=IETF MARID List |access-date=2011-12-20 |url-status=dead |archive-url=https://web.archive.org/web/20120414184741/http://www.imc.org/ietf-mxcomp/mail-archive/msg04844.html |archive-date=2012-04-14 }}</ref><ref>{{Cite web|url=http://www.internetnews.com/dev-news/article.php/3409971/Exposed+Sender+ID+Patents+Up+Debate.htm|title=Exposed Sender ID Patents up Debate|date=20 September 2004}}</ref> on key parts of Sender ID and used to license those patents under terms that were not compatible with the [[GNU General Public License]] and which were considered problematic for [[free software]] [[implementation]]s in general. On October 23, 2006, Microsoft placed those patents under the [[Open Specification Promise]], which is compatible with some free and open source licenses, but not with the most recent version of the GPL license, version 3.x.{{Citation needed|date=March 2021}} ==See also== * [[:Category:Email authentication]] * [[E-mail authentication]] overview * [[MARID]] (IETF WG in 2004) * [[DKIM]] * [[DomainKeys]] ==References== {{reflist}} ==External links== * [http://www.apache.org/foundation/docs/sender-id-position.html ''ASF Position Regarding Sender ID''] statement from the [[Apache Software Foundation]] * [http://www.iab.org/appeals/2006-02-08-mehnle-appeal.html IAB appeal] about Sender ID's reuse of <code>v=spf1</code> for PRA from the [https://web.archive.org/web/20060702025443/http://new.openspf.org/ SPF project] (2006). * [http://www.debian.org/News/2004/20040904 ''Debian project unable to deploy Sender ID''] statement by the [[Debian]] project * [http://slashdot.org/article.pl?sid=04/09/13/1317238 ''IETF Decides on SPF / Sender-ID issue''] coverage and discussion on [[slashdot]] * [http://www.groklaw.net/article.php?story=20040908180737547 ''Is Sender ID Dead in the Water? - No MARID Working Group Consensus''] coverage and discussion on [[groklaw]] * [http://www.moongroup.com/index.php?option=content&task=view&id=26&Itemid=2 MARID Co-Chairs Clarify Consensus Statement] * [https://web.archive.org/web/20040929020641/http://www.imc.org/ietf-mxcomp/mail-archive/msg05054.html ''MARID to close''] mailing list thread. * [http://www.circleid.com/posts/sender_id_a_tale_of_open_standards_and_corporate_greed_part_i/ Sender ID: A Tale of Open Standards and Corporate Greed?] * [http://www.openspf.org/SPF_vs_Sender_ID "SPF: SPF vs Sender ID"] * [https://help.msg91.com/article/53-sender-id-in-various-countries "Sender Id Types in Different Countries"] * [http://www.mysmsmart.com/ "Sender Id"] * [https://nrt.co.in/bulk-sms/ Sender IDs, SMS templates] [[Category:Email authentication]] [[Category:Anti-spam]] [[Category:Microsoft initiatives]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:According to whom
(
edit
)
Template:Citation needed
(
edit
)
Template:Cite IETF
(
edit
)
Template:Cite mailing list
(
edit
)
Template:Cite web
(
edit
)
Template:Primary sources
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)
Template:Snd
(
edit
)