Email security was a headache for tech giants (and even some smaller companies) in the late 1990s. It was the time when threat actors started exploiting email communications to attempt impersonation, spoofing, and phishing-based attacks in the names of reputed companies and domain owners.
Considering the rise in email-based cyber menaces, many experts got involved in developing the Sender Policy Framework (SPF), a technology that filters legitimate and illegitimate emails. In fact, in 2002, the FBI’s Internet Crime Complaint Center (IC3) issued its first annual report, sharing that the site received 49,711 complaints from January 1, 2001 to December 31, 2001.
It was then that Scott Kitterman started actively contributing to the development and advocacy of the Sender Policy Framework. His work majorly revolved around refining the SPF specifications, supporting its adoption, and developing tools to facilitate its implementation.
Image sourced from iosentrix.com
Scott Kitterman’s Year-Wise Contributions to SPF
2003
Scott Kitterman began his involvement with SPF by contributing to discussions and developments within the SPF community.
2004
He played an important role in improving and stabilizing the protocol to refine the SPF specifications.
The IETF published the original SPF specification as RFC 4408 in April 2004. While the primary authors were Meng Weng Wong and Mark Lentczner, Kitterman contributed through discussions and suggestions during its development.
2005-2007
In these years, Kitterman connected with many stakeholders involved in companies’ email ecosystems to advocate SPF adoption. He focused on engaging with the right people, promoting SPF’s upsides, and encouraging its deployment.
Another notable contribution he made in these years involved creating tools and libraries to help domain owners implement SPF more easily. To do this, he wrote and maintained software that explained everything about SPF checkups and validations. We will discuss the Kitterman SPF Validator tool in detail later in this blog.
2008-2013
Kitterman continued to work on improving the SPF specifications. His contributions included refining the syntax and semantics to make it more robust and easier to implement.
He was also putting his efforts toward drafting and revising RFCs to solve the problems of new SPF users and use their feedback to make the protocol better and foolproof. RFCs are formal documents from the Internet Engineering Task Force (IETF) that contain specifications and notes about Internet and computer networking topics.
2014
The revised SPF specification, which superseded RFC 4408, was published as RFC 7208 in April 2014. Kitterman was a co-author of this document, which aimed to clarify ambiguities and incorporate operational experience gained since the original specification.
2015- Present
Even today, he is an active member of the email security community, welcoming doubts, suggestions, and feedback from owners and administrators of SPF-deployed domains across the world. He is continuing his effort to educate people about the importance and relevance of SPF.
Over time, he has also looked after the process of integrating SPF with DKIM and DMARC– the two other email authentication protocols that cover up the SPF’s limitations. DKIM ensures that only authorized entities send emails from a domain and that nobody tampers emails’ content in transit. DMARC allows domain owners to instruct recipients’ servers on handling emails that fail SPF and/or DKIM checks.
The Kitterman SPF Validator
The Kitterman SPF Validator is an online tool that you can use once you have generated an SPF record for your domain. You just have to enter your domain name in the tool, and it will retrieve and evaluate the corresponding SPF record for any existing configurational or syntactical errors. It basically ensures your SPF record adheres to the correct format; otherwise, it can become invalid and ultimately useless in securing emails.
The tool checks the various mechanisms and modifiers used in the SPF record (such as ip4, ip6, include, a, mx, etc.) to confirm they are correctly specified and resolved as intended. Apart from this, the Kitterman SPF Validator evaluates the policy defined by the SPF record, such as whether it is using a -all (fail), ~all (soft fail), +all (pass), or ?all (neutral) qualifier. This helps you understand the implications of your SPF policy on email delivery.
Beyond its practical use, people use it for educational purposes to learn about common SPF mistakes and best practices to follow to avoid them.
Legacy and Continuing Influence
Scott Kitterman’s contributions to SPF and email security continue to be influential. His work laid the foundation for more secure email communication and helped establish best practices that are still in use today. As email security threats evolve, Kitterman’s legacy endures through the ongoing use of SPF and the tools and resources he developed.
In summary, Scott Kitterman is a key figure in the history of email authentication, particularly the Sender Policy Framework. His technical contributions, advocacy, and community involvement have made a lasting impact on the security and reliability of email communication worldwide.