More than 750,000 domains are already publishing Sender Policy Framework (SPF) records, the method used within the Sender ID Framework for identifying a sender’s authorized outbound e-mail servers.

However, EarthLink has confirmed that it has stopped publishing Sender Policy Framework (SPF) records for its domains, meaning email servers attempting to authenticate its emails using SPF or Microsoft’s Sender ID Framework (SIDF) will not be able to.

We saw a significant number of false positives, EarthLink chief technology officer Tripp Cox told Datamonitor. We felt it was safer to publish no record at all than to publish one that may be misinterpreted.

SPF and SIDF both propose ways to work out whether email came from the address it claims to originate from. Such a system, broadly adopted and combined with a reputation service, could help reduce junk email such as spam and phishing attempts.

Mr Cox was one of the lead researchers on a messaging anti-abuse working group (MAAWG) paper released in July that, after testing both systems out, said MAAWG neither endorses nor discourages the use of SPF or Sender ID.

But the results were evidently enough for EarthLink to stop supporting the spec for the time being. Mr Cox said that the main problems come when email senders use mailing lists or forwarders. That extra layer of forwarding creates false positives.

In addition, there were problems when senders had published SPF records designed for use with SPF checks at the receive side but the receive side was using Microsoft’s alternative checking mechanism, known as Purported Responsible Address (PRA).

These are well-known issues with the specs within the SPF community, according to Wayne Schlitt, an independent developer responsible for much of the recent work on SPF. The PRA problem is one of SPF’s beefs with Microsoft. Schlitt said he didn’t understand why EarthLink decided to drop SPF support – the ISP seemed to have implemented it in such a way that false positives would not be an issue – but said that its decision has had knock-on effects.

Some people who had used the SPF ‘include’ statement to link their own SPF records to EarthLink, to indicate EarthLink’s servers are authorized to send email on their behalf, found that the absence of EarthLink SPF records meant they had to update their own records or risk losing mail.

It appears some of the problems being seen are due to implementation choices. SPF gives the publisher options to define how strict their own email sending policies are, but each sender obviously had no control over the policies of all the possible recipients.

For example, a company with a lot of roaming users could publish an SPF record that lists its controlled, authorized servers, but which also states that email from other, unlisted servers is not necessarily unauthorized.

But then it’s up to the recipient mail server to decide how to treat these ‘soft fails’. If it is set up to reject soft fails, and the sender has good reasons for publishing a flexible sending policy, legitimate mail could get lost.

EarthLink is not the only ISP to change its mind on Sender ID and SPF. Outblaze, a Hong Kong-based white label email service provider serving about 37 million accounts, dropped SPF in February, according to its postmaster, in a discussion at CircleID.com.

Mr Cox said that it’s not out of the question that EarthLink could adopt SPF or Sender ID again, when they are more mature.

Both SPF and SIDF have been consigned to the Internet Engineering Task Force’s ‘experimental’ standards track, which basically means only those participating in the experiment are advised to implement them.

But Microsoft is pushing Sender ID hard, regardless. The company is updating its Hotmail service to present a warning bar to users when they open emails that cannot be verified by SPF/SIDF. That alone could encourage adoption. However, EarthLink will not be the only company choosing not to support SPF/SIDF and Microsoft has stated that it has no plans to reject emails based on their SPF status alone.

EarthLink appears to be more enthusiastic about Domain Keys for Internet Mail (DKIM), the merged spec from Yahoo! and Cisco Systems, which many see as complementary to source-based authentication techniques like SPF and SIDF.

DKIM is a cryptographic signature-based authenticator, in which a public key published in a domain name system record can be used to check whether received email was signed with the corresponding private key by an authorized mail server.

EarthLink is signing 70% of its outgoing email with Domain Keys, the Yahoo-developed part of DKIM, and anticipates moving to newer versions of DKIM later this year, Mr Cox revealed.