John Levine wrote (regarding a MARID record like
+indirect:msn.com/targetrep):
If I were a spammer sending Ci(_at_)l1s spam through zombies on
MSN and Comcast, I agree that this is the SPF record I would
use. But it is hard for me to imagine why anyone else would
believe an attempt to piggyback on MSN and Comcast's reputation
unless they already had other reasons to find me credible.
You get to piggyback on MSN's reputation exactly when you send mail
through their mail servers. If MSN has a reputation for not sending
spam, and you get my domain's mail from MSN's servers, then you can be
assured it's not spam, because if I try to send spam, MSN will either
kick me off, rate-limit me, or fine me. This is exactly why the
questions of authentication and reputation are intertwined. You don't
get to piggyback on MSN's reputation if your mail doesn't go through
MSN's servers.
Regarding XML or not, John wrote:
If experiments show that recipients can use big rich XML data
to deal with spam significantly better, great. At that point,
it should be easy to send MARID 1.1 with XML along the track.
But you have to do the work and show us the horse before you
can get this cart moving.
Assuming that MARID 1.0 enjoys any success, then if we go down the route
you suggest there will be lots of MTAs and other programs out there that
understand SPF-style syntax, but not XML. If we then define an XML
syntax, it would be a hard step for a domain to publish using it,
because their record becomes effectively invisible to all of the
then-deployed MTAs out there.
In short, discontinuous changes of format seldom happen.
Upward-compatible extensions happen all the time. SPF format does not
have sufficient extensibility. XML does.
-- jimbo