1. It requires changes to DNS
The idea behind RMX can be implemented without changes to DNS, however. For
example, via MX records, as already mentioned, or via some specially coded A
record (see http://www.bondedsender.org/#dns-info).
2. Too many control points. There are just too many domain names and too
many domain name servers for the presence of an RMX record to mean much.
Yes, it reduces the forged header problem, but it's just too easy to set up
your own domain name server that it will mean little in the way of
controlling spam.
Presumably this is what Dave Crocker meant when he said:
However, the belief that it would have been useful under those
circumstances is based on the view that the administrator of the
timesharing system was independent of the person running the
applications AND that administrator could be expected to be trustworthy.
And therein lies the same, serious problem with RMX.
3. What do you do when there is no RMX record?
My proposal, for _any_ authentication scheme, is to bridge the gap with a
"mandatory" challenge-response system. If you disagree with that, what is
your proposal for how mail from non-RMX systems should be handled.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg