[Sorry; premature transmission the last time]
I recognize that we are trying to protect our 'own' reputations here
but if birds of a feather don't flock together, those that don't reign
in their systems when publishing SPF's will cause us all grief.
I think I'm disagreeing with exactly this point.
Those that don't reign in their systems are in the status quo; those
that do reign in their systems protect themselves.
I am not really concerned about those that will do it right because
that
is not really the issue.
The problem is that using wide-open Madrid, one spammer can reference
another.
But this will happen NO MATTER WHAT WE DO in Marid: If it's flexible
enough to be practical for the good guys, then it's flexible enough for
the bad guys. And the bad guys will (a) purchase large numbers of
domains, many and often, and (b) will collude amongst themselves to
share address information by any of a number of means, not just this
range info.
In eliminating forgeries of domains, we will have made huge progress,
not just on the lack of impersonation per se, but in dividing the world
into, roughly, those domains who send spam, and those who don't.
But it's going to take a whole not more sophistication than simple
enumerative lists of domain names to fully exploit this.
This makes domain blocking hopeless and puts me back in the
business of blocking single IP's or doing the extra work to try to
figure out their netblock manually because I cannot explicitly
'distrust' anyone.