On Wed, 2005-06-15 at 11:11 -0400, Michael Hammer wrote:
You don't resolve an issue of someone doing a wrong thing by giving in
through a work around that gives validation to the publication of
"their" (SPF2.0) record.
For "Sender Policy Framework (SPF) for Authorizing Use of Domains in
E-MAIL, version 1", the listed authors are M. Wong, and W. Schlitt. For
"Sender ID: Authenticating E-Mail" the listed authors are J. Lyon, and
M. Wong. The "spf2.0/" record syntax was a product of the MARID WG
specifically addressing this very issue. As all the authors
participated in the MARID WG that identified this scope related problem,
and as both of these drafts also credit common authorship, it would be
impossible to say which draft is now authoritative for the "v=spf1"
By excluding a solution for a known problem, how can it be said the
draft for SPF based upon the bounce-address made any attempt to avoid
this situation? At least Sender-ID accommodates use of the SPF2.0
record. On April 13, 2004 Wayne, in response to Harry Katz talked about
the use of SPF2. By August 13, Mark Lentczner announced adoption of the
"spf2.0/" instead of the "v=spf2" by the design team for the
draft-ietf-marid-protocol-01. Checking the archive, around August 19,
my email warns of the problem of assuming the PRA as a scope for the
v=spf1 record. On August 25, Meng Wong introduced the "mfrom" scope as
a solution. This was done amid growing concerns of the licensing
required by Microsoft.
It has been nearly a year to consider the impact of this problem. Only
those that don't care about the scope of the record should publish
"v=spf1". Those that care, should publish "spf2.0" records that declare
the assured scope.