"John Levine" opined:
... the least bad option seems to me to be to
move both Sender ID and SPF ahead as experimental standards. They're
both experimental because we still have only the sketchiest experience
with day to day usage of both, and we don't know about server loads,
DNS loads, likely spammer counterattacks, or anything else
operational. People who are so inclined can easily implement both,
particularly if they use the same DNS records.
This proposal has within it the opprtunity to ameliorate the concerns over
Sender-ID's lack of defense against the Sender-ID-specific mode of
'bounce-bomb' attack - documented this morning in
"TECH-OMISSION: Security vulnerability - Malicious DSN attacks".
For an experimental phase the concerns could be reduced by:
1) Releasing Sender-ID at the same time as, or after, SPF
2) Recommending, either in Sender-ID or in an accompanying BCP that:
"In the event of a Sender-ID test result of 'Fail', an SPF test of the Mail-From
address SHOULD be undertaken. If that SPF test should also 'Fail' the message
SHOULD be silently discarded."
draft-zinn-smtp-bounces-01.txt may be cited as 'proto-authority' for the
If this approach were to prove successful, I would recommend that the SHOULDs
above be changed to MUSTs in a post-experimental phase.