Forgive me if this question is misplaced. I have been a student of spam and
email for years, but I have never officially been involved in the dicsussion
until now.
Basically I am wondering why the "D" in MARID.
To authenticate the sender, a recipient needs to obtain an official copy of
the sender policy. One way to disseminate this information is through DNS.
But using DNS is a significant complication in implemtation. (Does
everybody implement TXT records properly? Isn't it sort of a kludge to
paste together multiple TXT records to hold lengthy sender policies?). It's
a factor delaying the adoption of a standard for sender authentication.
If the sender policy basically boils down to an XML document, wouldn't
wouldn't a simpler solution be for the sender to deliver the sender policy
itself? Obviously I don't mean that the sender would deliver it along with
the message - that certainly isn't secure, or optimal. The recipient would
look up "responsible domain"'s MX record (again, depending on exactly what
you want "responsible domain" to mean), and requests the sender policy from
the domain's SMTP server, perhaps using a simple SMTP extension like
SPOLICY <domain>
This places no additional role or burden on DNS. It also more fairly
distributes the extra communications load requires to maintain this
information on those sending the most messages. All changes required to
implement sender authentication are in one piece of software: the MTA.
Again, forgive me if this idea is one that was considered and rejected long
ago, I scanned the archives and didn't see the idea mentioned.
- Fletcher Dunn