On Sat, 2004-09-18 at 11:49 -0400, Meng Weng Wong wrote:
The SPF story goes like this:
"If I don't publish SPF records, what have I got to lose?"
"Spammers might spoof with your domain name in the
return-path or the headers."
"Will people reject my mail simply because I have no SPF
record?"
"Considering that lots of domains have no SPF record,
that day is pretty far off. Though you never know how
aggressive some people might get."
"Then why should I bother?"
"Because when people forge your domain name in the
return-path or the headers, you get the bounces, and
your users get phished. Is that a problem for you?"
"Oh, then yes, that is a problem."
Actually the DK/IIM/etc. story about true end-to-end authentication goes
like that too. It's at _this_ point that they diverge, and you left out
the end of the story. The SPF story continues like this:
"This phishing is mostly academic, but would be nice to stop.
But more importantly, I did this SPF record and now there are
people out there who are rejecting my _real_ email. That's
more important to me. They tell me I should stop publishing
a record like you say. What is the truth?"
"Er, um, er. They should upgrade because the way the whole world
works is different now."
"I asked around and they say that this hasn't changed for
years and you are being naïve. Did you trick me? Do we need
to wait for everyone out there to change the way that
Internet email works first? I removed my SPF records."
Now when we come to them with the same conversation about
DK/IIM/whatever, they're going to tell us to get stuffed.
This is going to be _entirely_ counterproductive in the long run. If you
want true authentication, implement a true end-to-end scheme rather than
a hop-by-hop scheme which cannot ever solve the problem. MARID has its
place but this is _not_ it.
We need to stop disingenuously selling SPF/SenderID as a real
authentication scheme. Those who sell it like this are doing us _all_ a
disservice because they're going to severely hurt adoption of whatever
true authentication scheme is settled upon by those groups who are
working on it as we speak.
As for selling SPF as a method to stop bounces -- that's just bizarre.
BATV/SES are a totally effective way of doing that, without requiring
_anything_ of third parties for the 'publisher' to get the benefit.
--
dwmw2