Hallam-Baker, Phillip [mailto:pbaker(_at_)verisign(_dot_)com]
Bulk [2]
RFC 2821 From Bulk Y
RFC 2822 From Client ?
RFC 2822 Sender --NULL-- -
This category also includes a variety of hosted, vertical applications, not
just bulk mail.
[2] The bulk sender may not be able to get the client to configure their
DNS to include them
...
It may be difficult for bulk senders to comply with requirements.
I would argue that a solution that doesn't enable you to authenticate and
thus accredit the orginators of bulk and vertical application email is
useless, and if you design this correctly it's possible for originators to
comply without having to abandon their outsourcing. Forcing them to either
abandon outsourcing or outsource from only one place is likely to cause
massive delays in adoption.
Bulk and vertical application mail is exactly the type of mail currently
very subject to false positives, and also the sort of mail for which
accreditation is most interesting. Every online storefront has significant
costs associated with transaction confirmations that do not arrive. Remember
that the majority of online stores are not Amazon; they don't have their own
infrastructure. They are using a hosted application, and this hosted
application is reasonably likely to not be the same as their web site
hosting provider. It is extremely common for individual small business
domains to use multiple providers. Small businesses are the largest
component of the US economy (I don't know the numbers for other countries);
a solution that leaves them out is not a solution.
All that being said, with the right record structure and the right tools in
place it should be possible for a business to effectively say "these are my
vendors" and generate a MARID record for 2821 and 2822 which is then sent to
the technical administrator for insertion into the DNS. To do this you need
a way to indirect, and a way for vendors to set up per-client or per group
records. To look at it from the user's point of view, they type in the
product or company names (which the vendors are responsible for making easy
to find) for all of their vendors, plus whatever id the vendor gave them,
and the tool generates the records.
For larger companies, I don't think being told that they effectively can't
outsource email will be considered a solution either. Verisign may not want
to do it, but most large companies use more than one bulk email provider.
Yes, I am biased here, but I also know what is necessary to get ESPC member
company clients to adopt. If the cure is worse than the disease you'll get
the disease in all but a few places very security conscious places.
Margaret.