On Fri, 2004-09-10 at 14:53 -0700, Mark Lentczner wrote:
I can't make such a statement about
"-all". I don't know that there might be some notion of identity, as
yet undefined, for which I'd need to include other hosts.
To cite an example: in today's world, you need to include other hosts
for both RFC2821 reverse-path and RFC2822 identities.
While other site owners might be willing to take such risks and publish
such records, the ability to do so lesses the effectiveness for the
whole scheme.
Indeed they might be willing to do that, and indeed it does lessen the
effectiveness of the whole scheme.
If domains are able to make claims like "We didn't know
about that identity check when we published "spf2.0/*" - you can't ding
our reputation based on that check." or " - you can't reject mail that
doesn't pass", it means that the whole scheme is diminished.
It does indeed mean that the whole scheme is diminished.
In short, when we say "domains authorized the use of identity X by
publishing an SPF record" we do so because we are going to hold them
accountable if the authorization passes, and reject if it fails. And
for those actions to have any force, the declaration of authorization
has to be incontestable.
I agree.
--
dwmw2