On Mon, 2005-01-10 at 09:37 -0500, Andrew Newton wrote:
On Jan 10, 2005, at 6:38 AM, David Woodhouse wrote:
SPF has insurmountable technical flaws which render it unsuitable
for IETF endorsement;
With all due respect, this is only your opinion.
This is indeed only opinion. I don't think it's only _my_ opinion
though.
How would you characterize its "massive" acceptance compared to
everything else?
As far as I can tell, it's largely due to extremely disingenuous
marketing on the part of the SPF advocates. Part-time mail admins get
taken in by the hype and start to publish SPF records without realising
how common the false positives are. On a number of occasions when I've
explained the technical details to someone they've expressed surprise
and taken down their SPF record, or abandoned their previous intention
to publish one. I originally investigated SPF with a view to using it,
but thankfully I did have the time to think it through for myself and
decided not to do so.
It's also due to the fairly misleading nature of statistics. The
statistic which gets quoted is the number of domains publishing SPF
records -- about 0.3% IIRC. However, that includes those who end their
record in '?all', which is mostly a no-operation. And more to the point,
there are far fewer people actually _checking_ SPF and rejecting mail
for a failure.
With all this talk on this list about the best being the enemy of the
good, I'd like to point out that perhaps SPF is good enough.
In my opinion, SPF cannot possibly be considered 'good enough' until
some time after RFC4821 has been published and has mandated something
along the lines of SRS.
I do see the point in accepting something which is 'good enough' rather
than striving for perfection, but I don't think that SPF is it. SPF just
has too many false positives, and the idea that people will all
implement SRS is really just a pipe-dream. Given that DomainKeys is
deployable today, I really can't see the justification for pushing SPF.
I know that the people who've implemented SPF and then abandoned it due
to the false positives are _much_ less likely to implement whatever MASS
comes up with. Whoever tricked them into using SPF in the first place
has done us all a disservice.
Striving too much for perfection is bad, I agree -- but pushing a
massively suboptimal solution just because it's ready _today_ is worse.
My definition of 'good enough' would be DomainKeys, IIM etc. as they
stand today, used only for the 'most recent sender'. I happen to think
it's silly to use RFC2822 identities in authentication only for the
duration of a single transition through the RFC2821 transport system and
not for the entire lifetime of the RFC2822 entity, but it's "good
enough".
--
dwmw2