On Fri, 2004-06-18 at 15:46, Jim Lyon wrote:
Reputations Tied to Individual Mechanisms
----------- ---- -- ---------- ----------
(This is mostly a repeat of
http://www.imc.org/ietf-mxcomp/mail-archive/msg02090.html)
Suppose I have a small domain with no reputation. Suppose I'm a
customer of both MSN and Comcast, and I send some of my outbound mail
through MSN's mail servers, and some through Comcast's mail servers. As
things currently stand, I'd publish a MARID record like:
v=spf1 +indirect:msn.com +indirect:comcast.com -all
This authenticates me very well (assuming that MSN and Comcast each do a
sufficient job of policing their internal networks to keep other
customers from masquerading as me).
When we get into the question of reputation, the argument goes something
like: If you get mail from me through MSN's mail servers, you should
believe it's not spam because MSN does a good job of keeping its
customers from sending spam. Similarly, if you get mail from me through
Comcasts's mail servers. The degree to which you as a receiver believe
my mail is not spam is exactly a function of one of my ISP's
reputations.
Do you expect to increase the workload at the MTA and require vetting of
accreditation services based upon the individual? How can this
accreditation service be sure they are accounting for the right
individual? Although there is some cost associated in creating a
domain, there is virtually no cost associated with creating a user. This
accreditation service would be left ferreting through forged mail,
spoofed complaints, and fictitious users as the IP checks just the
domain. I see even more destruction of mail's flexibility in store to
support this innovation however. Like a bull in a china shop, this
breaks everything around it.
Again, the Fenton proposal allows the needed assurance for such
individual vetting without destroying mail's best features. Add another
SRV record where instead of using _krs (Key Registration Service) use
_urs (User Reporting Service) for such an individual service or add to
the krs dialog. This URS could establish a dialog to allow complaints
to be registered, where the domain can then take the needed
administrative action. Accreditation would be based upon the domain and
not something as unscalable as a user. Of course complaints would
require proper identification using the same key based checks. ; ) Here
the Fenton proposal is infinitely extensible without piling everything
together and would make such a service achievable. Easily done at the
MUA and does not require breaking mail to accomplish this.
Message Types Tied to Individual Mechanisms
------- ----- ---- -- ---------- ----------
Many domains send both non-bulk and bulk mail, generally through very
different parts of their organization. It may be useful to have
annotations on an SPF mechanism that describe the kinds of mail they
send. For example:
v=spf1 +mx/bulk +indirect:comcast.com/nonbulk -all
Sure. I would believe this notation. : )
-Doug