I send some of my outbound mail through MSN's mail servers, and some
through Comcast's mail servers. As things currently stand, I'd publish
a MARID record like:
v=spf1 +indirect:msn.com +indirect:comcast.com -all
If I were a spammer sending Ci(_at_)l1s spam through zombies on MSN and
Comcast, I agree that this is the SPF record I would use. But it is hard
for me to imagine why anyone else would believe an attempt to piggyback on
MSN and Comcast's reputation unless they already had other reasons to find
me credible.
When we get into the question of reputation, the argument goes something
like: If you get mail from me through MSN's mail servers, you should
believe it's not spam because MSN does a good job of keeping its
customers from sending spam. Similarly, if you get mail from me through
Comcasts's mail servers. The degree to which you as a receiver believe
my mail is not spam is exactly a function of one of my ISP's
reputations.
Perhaps, but you don't get to say that MSN and Comcast vouch for you.
They do. That's why it's pointless to self-publish any reputation info
beyond pointers to other sources that people might be willing to believe.
In any event, I think that we need to take Vint Cerf's recently cited
comments to heart here. He commented (roughly) that the Internet was
built by doing experiments and writing up the results so that people could
see how well they worked. At this point the only MARID-like thing that's
had the benefit of experiments is SPF. SPF has all sorts of shortcomings
that we all know, and I find even SPF overcomplex, but at least we have
some idea how hard it is to publish and to decode.
I'm not ruling out the possibility that people will find useful and
interesting info to put into a MARID record that would be complex enough
to merit XML, but at this point, it's all hypothetical. The reality is
that for a lot of us, an XML parser would double the size of our SMTP
daemons, and it'll take a more compelling argument than "we might come up
with something" to make it worthwhile. The sensible approach is to send
an SPF-ish design down the standards track, and to keep experimenting.
Given the reception in the SPF community, they're not going to parse XML
no matter what MARID says, and we need to keep in mind that the IETF can't
tell anyone to do anything they're not inclined to do.
If experiments show that recipients can use big rich XML data to deal with
spam significantly better, great. At that point, it should be easy to
send MARID 1.1 with XML along the track. But you have to do the work and
show us the horse before you can get this cart moving.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.