In
<C6DDA43B91BFDA49AA2F1E473732113E0A19AE(_at_)mou1wnexm05(_dot_)vcorp(_dot_)ad(_dot_)vrsn(_dot_)com>
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:
The asset we are trying to protect here is the end user's
indox and the resources at the receiving end.
I think that the user's inbox is just *one* of the assets that I am
interested in seeing protected. The domain owner and network owner's
good name is another asset that I think needs to be protected. There
are already a lot of techniques to help protect the inbox, but there
are far few to protect people from misuse of domain names.
If you do it my way a lot of the problems disappear. For example the
whole confusion between CallerID style message header validation and
SPF style envelope validation. This is no longer part of the NORMATIVE
specification. Sure we give an INFORMATIONAL algorithm for interpretation
but that does not have to be updated to track the changing configurations
of the Internet.
I don't see that the problems would just disappear. The envelope
information and the header information are different in many ways.
Information what is appropriate for one may well not be appropriate
for the other.
We should not be arguing over how the receiver uses this information,
it is not relevant.
It's the receiver's MTA, so it is the receiver's rules. It will
always be up to the receiver to do with email as they think is best.
Until we have mail servers that are configured to verify their
configuration before sending each piece of outgoing mail it is unlikely
that anyone is going to reject outright email that fails SPF validation.
instead they will attach a negative score and run the mail through the
spam filters.
There are already a growing number of mail servers that reject email
outright if the SPF validation fails. I wish I knew how many MTAs
were doing this, but it is much harder to track than the domains that
publish SPF records.
For example, I block email that fails SPF validation. Because it is
new technology, I am watching it fairly closely. The results so far
have been quite good. I haven't seen a false positive yet, and it is
blocking about 1% of the spam I receive. Sure, that isn't a very high
percentage, but SPF is still pretty new.
-wayne