Something in the last chat in the MARID XMPP room just grabbed my brain
as sounding very true:
mengwong: i still think 2821 return-path and HELO attract
designated-sender approaches, and 2822 attracts crypto approaches.
mengwong: but as an intermediate solution, we can connect 2821 and 2822
together using imperfect means to deliver acceptable interim results.
That's always seemed the case to me. There's two separate levels of
verification, and I didn't see this until just now (because I am an ISP,
The first is to authenticate remote mailers to local mailers -- this is
the link that ISPs more than likely care most about. We want to make
sure our resources aren't abused, that we don't incur a liability
(neither legal (as in a lawsuit) nor technical (as in a DNSBL listing)).
After that, we want to keep the spam down for our users, because our
users are annoyed at the stuff in their inbox. On top of that, a
non-trivial portion of our customers can't stand to have a single
legitimate email bounced, especially if the blame can be placed on their
If there's a relatively agreed-upon standard for validation, though, I
think that last caveat softens a lot: One can put the blame squarely on
something the sender did wrong. If the MARID records are strictly
opt-in (so that a non-existant record is treated as a somewhat suspect
pass), then if a publisher or sender declares a policy to enforce, they
can be blamed for saying the wrong thing and causing mail to be
rejected. This is very attractive to adopting on the receiving side.
If we do reject someone's legitimate (to the receiver) mail, we want
someone to blame.
The second layer of checking is the user-to-user, which -does- encourage
cryptographic solutions, because there are so many scenarios, and
because which users trust which users at which domains is a complex
issue, too. I think there's something to be said for a weaker,
domain-to-mta or mta-to-mta validation, because it's nice to not step
into the realm of validating who-said-what, and sticking to "this user
is authorized by us to speak at all".
There's also two things I'm looking for:
1. Traceability -- so if an abuse is committed, I can find the people in
charge of the domain (because they're the ones technically in charge,
usually, not the users, who are just using their MUA the way their
grandkids said to.)
2. Automatic rejection of the obvious abuses.
Some points to ponder.