Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
The possible network addresses of where a message can be delivered for a
specific domain may only be partially resolved in an MX lookup process.
Once a valid network address has been discovered, immediate delivery
would normally be to that network address. Once delivered, the message
may then be passed on to several other locations, before arriving at a
mailbox destination. Often you can not know this path, nor would you
normally care.
But if I deliver a message to the MX that is authoritative for the
domain of the mailbox, the message is *delivered*. It's *done*.
You're assuming that *my* message gets forwarded *from* the domain I
sent it to, and that it's still marked as *my* message.
If it does, I don't see why it's labelled as "my" message. The
historical approach to label it that way is nice historically, but
there appear to be some kind of abuse issues associated with it...
While the domain owner will surely suffer the results of an MTA
administrator's lack of diligence, I would not expect any domain owner
has accepted this accountability. I have heard time and time again,
admonishments that domain owners should ignore concerns in this regard.
SPF somehow magically protects them. A shamefully false statement of
course.
Sure. But if they choose to accept that accountability, isn't that
their choice?
The suggested dummy PRA record by Sender-ID has already been
declared to have limited value in the future. What then?
They can use a proposal that doesn't have problems.
The publishing of these records should include a disclosure as to the
potential negative impact this record may have with the domain's
reputation. It should describe what actions are needed by the provider,
to ensure the domain owner's protection in the all to common case of
shared MTAs.
That's a matter for the documentation of the proposal, not for it's
implementation.
Importantly, there should be a way to use the SPF record that clearly
indicates what is being assured by the domain owner.
Of course. Any similar system should have similar assurances.
Alan DeKok.