The first public preview of ORF 5.4 is just around the corner and we are kicking off this blog article series to introduce you to some of the changes shipping in the new version. This first post is about the SPF update.
ORF was among the first products to add support for authenticating emails using the Sender Policy Framework (SPF) in September 2005. You can tell we got a bit early in the game, because RFC4408 — the standard that governs SPF — was published only 8 months later in April 2006. Changes between the implemented draft version and final RFC did not call for a change, though. The first update that really changed a few things is RFC7208, published last year.
We are now shipping ORF 5.4 with a fully RFC7208-compliant SPF client that can do validation as per the latest standard version. Our updated library debuted in our SPF validation services in May and has been tested by thousands of users worldwide since.
The changes introduced by RFC7208 are non-breaking, so policies published using the earlier version will be readily consumed and validated by ORF. Perhaps the most significant change is with error handling, which is more clearly defined and also more lenient than in the earlier standard version. SPF evaluation for a considerable portion of policies used to end up in errors in ORF, because they referenced non-existent DNS records, which ORF used to treat as a policy error — we argued that policy publishers would not reference non-existent DNS data intentionally, so such missing reference questions the integrity of the SPF policy. Given how common this issue is, it’s no wonder that RFC7208 now defines a clear procedure for such errors, allowing at most two such references before the evaluation ends up in an error. We have mixed feelings about this change, but we do expect it will allow the evaluation of more policies in ORF.
There have been more changes, but mostly technical — gory details are available in our earlier blog post about the SPF update.
We will be back with more on ORF 5.4 soon, stay tuned.