John Gardiner Myers wrote:
Below I've summarized, for each type of identity we're considering
securing, what the identity is used for, the benefit we gain from
widespread implementation, and the current use cases that are broken by
widespread implementation.
Thanks and keep up the good work!
In my experience, spammers are quick to adapt to changes in the
ecosystem--much more so than many legitimate users. It is unlikely that
protecting any of these identities will result in more than a temporary
reduction in the volume of spam, it will merely change the attack
vectors that spammers use.
That is true. However, closing any tactic permantently helps somewhat.
Second, it can be used as a base for further systems such as
reputation/accreditation/trust. And of course as you stated, there are
other benefits to this aside from spam specifically forcing spammers to
use a non-protected or their own domains to redirect the junk resulting
from bounces.
* HELO/EHLO domain
- Used in constructing the Received: header
Given wide deployment:
Spammers/viruses will use domains over which they have control or
through which they're able to relay.
It does make sure that spammers/viruses do not use your domain for their
junk. So it protects participating domains. Also, it could be used as a
basis for a reputation scheme.
* MAIL FROM (Return-Path:)
- Used for the recipient of bounce mail
Given wide deployment:
Unrelated third party domains which assert a policy will not receive
bounces from forged return paths. Such bounces will instead go to
domains controlled by spammers, domains through which spammers are
able to relay, domains that don't assert a policy, or to the empty
return path.
There is also a benefit - if the MAIL FROM parameter is verifiable, then
people will be more willing to actually send MDNs as opposed to the
outlook right now not to. This helps legit bounced messages to get back
to their senders.
Yakov