On 3 Sep 2004, at 20:16, Rand Wacker wrote:
Sender ID approved mail provides you with the benefit in that it is
authenticating a well-comprehended user address, the From: header.
This
is something that's easy for users and admins to comprehend and
whitelist.
Whitelisting of the envelope is more complex and won't be understood
by a
large portion of users out there.
Unfortunately whitelisting and blacklisting of addresses happens today
(in most MTAs that I'm aware of) on the envelope address, not the
headers, and since a whitelisting has to override a blacklisting you're
suggesting a significant shift in operating procedure (from rejection
at MAIL FROM to rejection at EODATA). As someone responsible for
anti-spam for billions of mails per month I can't imagine that's a
change we'd want to make lightly, especially given the increased cost
of holding off the rejection until EODATA.
Another thing to remember is that the people at the coal face of spam
attacks don't want to be able to whitelist more. They want to get rid
of more spam. Those who want to be able to improve whitelisting have
something to sell you (this isn't necessarily bad, but it tends to be
true). Some have argued that being able to validate and accredit
domains will allow you to turn up the strength of your spam filters,
but anyone who has worked on real world spam filters (SpamAssassin and
a commercial filter here) will be able to tell you that this is very
much non trivial.
We would make the change if it had a significant benefit to our
customers, but in this thread there has already been what I consider
strong enough proof (in response to your large bank example) that
everything we need for whitelisting even complex mail routing is
possible using the envelope address anyway.
While today there are a number of MUAs that don't display the envelope
address, the MUAs will have to change to display whichever of the MAIL
FROM or the PRA we're validating.
Furthermore, almost none of the businesses we work with allow their
users to whitelist addresses of their own choosing, at least not with
without admin approval. This stuff happens today on the envelope, and
while it has taken some training it is not a significant barrier.
I agree with you that we should move forwards with Sender-ID assuming
Microsoft can fix their license issues. Certainly one of the benefits
of moving forwards is to approve -protocol, which is the real meat of
Unified SPF and will bring us gains when we come to implementing crypto
validation.
Matt.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________