OK, here's what I see as the probems with Unified SPF (as I understand
the proposal) as compared with using SenderID in conjunction with
CSV/CSA.
1. Unified SPF encourages (but doesn't require) the same check to be
made on the HELO as on other identities. If this is how it is
deployed in practice, it will lead to unnecessarily lax checks on
the HELO, which will reduce the effectiveness of the HELO check.
A complex SPF record may reference many different providers,
whereas a particular HELO string will typically come from a
specific MTA. The big problem though is when an SPF record ends in
?all or ~all. It is counterproductive to encourage people to use
this same record for HELO checks. You may not know all the MTAs
that might sometimes originate mail for your domain, but HELO
strings typically identify individual MTAs, and you almost
certainly know the exact list of IP addresses in use by a specific
MTA under your control. Encouraging people to relax the HELO check
just because they don't feel comfortable with a strict PRA (or MAIL
FROM) check is undesirable.
2. It's not clear that unifying them (in the sense that I understand
is intended by Meng Weng Wong) makes much sense, given the set of
valid identities is typically disjoint. Ignoring for a moment the
fact that a HELO identity is a domain, whereas a PRA or MAIL FROM
is a mailbox, even the domains used are typically disjoint.
If example.com is a domain that occurs in the PRA and MAIL FROM, it
typically won't be a valid HELO identity. Conversely,
mx1.example.com might be a valid HELO identity, but is unlikely to
be valid as part of a mailbox.
Unifying the proposals syntactically may make sense -- ie using a
(subset of) SPF syntax for the CSV/CSA records. I remain to be
convinced that unifying them semantically is sensible.
3. The models of reputation and accreditation are different. One is
the reputation of a domain, the other is a reputation of a host.
It's not clear to me that both of these reputation services will be
provided by the same set of providers, so if you're going to try
and use a single record for both purposes, you probably want to be
able to select separate sets of reputation services for the HELO
identity and the PRA/MAIL FROM identities, in order to avoid
redundant quieries to the 'wrong' providers. This _could_ be done
with a single record, but given (2) above, this starts looking
unnecessarily messy to me.
-roy