ietf-mxcomp
[Top] [All Lists]

Re: How is SPF different from RMX?

2004-07-30 16:48:06

On Tue, 27 Jul 2004, Alan DeKok wrote:

which creating significant impediments for legitimate email
outsourcing.

  Which is why great care must be taken in its design and implementation.

Well, it is interesting that the major corporate sponsors of SPF and RMX
aren't against spam, but only spam not originating from them or not paying
them. It is also in their interest to prevent outsourcing, so that they
get the whole service package.  I find it difficult to believe they are
really taking great care to make sure it doesn't break outsourcing.  

But, great care or not, SPF does make it pretty much impossible to
outsource. You need a record for each mailserver. It is reported that it
is only possible to have 18 root Nameservers because that is the maximum
that can fit in a DNS packet. The TXT record is not as efficient, but I
don't have any exact number for the maximum number of servers will be
possilbe.  But it will probably approximately 18.  This limits the number
of servers that can be outsourced, or even internally used.  Lets try a
more concrete example:  At present, I believe that AOL has a number of 4
inbound MX's and a larger number of outbound servers. I don't have any
special knowledge of AOL internal operations, but I think they have each
user server send outbound email directly. Presumably, they have more than
18 outbound servers.

Then there are deployment issues. Besides the cost of adding the SPF
records to tens of millions of domains and the complications of just
getting that done, there are other complications:

DNS protocols present provide for TCP connections to handle packets larger
than 512 bytes. However, many server implementations still don't support
TCP, or don't support it properly. This leaves a large number of domains
that won't be able to work with SPF, and it means that a lot of mail will
just mysteriously fail depending on the originating site's SPF
configuration.

Then there are domains that will have to re-architect their mail
architecture so that all internal mail is first sent through an "SPF
approved" server. Many systems are configured to send outgoing mail
directly.  This creates more burden on the outgoing mailservers. Some
sites will need to buy new servers as a result. This will be significant
and possibly devastating for some.

Then there are issues getting SPF deployed in mail servers. Not everyone
runs "Debian stable" with automatic update.  For most, this will mean they
will have to upgrade software sooner than they expected.  So it will be a
long while before SPF has any benefit for many sites.

This is just scratching the surface.  At each step, there are even more
complications that could go wrong, and cost money or disrupt mail.

Again: abuser takes a few days at most to adapt. Total cost to abuse: $0.

                --Dean



<Prev in Thread] Current Thread [Next in Thread>