On Sat, 2 Oct 2004, Dave Crocker wrote:
The common, public mantra is that approaches like domainkeys are
more 'complex' than approaches like spf and sender-id.
I believe this is wrong, for exactly the reason you state. Path
registration schemes have simpler software algorithms, but far
more difficult on-going administration requirements. So it is a
trade-off between one-time codewriting versus on-going
administration effort.
Very good point about on-going administration costs. I've been talking to
a lot of people who think that putting a crypto solution in place is twice
as complex as a path system because "IP-based schemes only require a new
DNS record while crypto-based schemes require a DNS record *and* a piece
of signing software to be put in place".
This view is fairly simplistic though, because when I ask them to audit
the number of places they actually send mail from, the third party mailers
they have contracted with, and how they are going to get their remote
end-users to connect to an "authorized" mail relay, they start to
understand that putting a new piece of software in the outbound mail
stream for signing is really a very small piece of the puzzle.
-Rand