[Greg Connor]:
I'm not sure what having "your own IP address" has to do with
either authentication or authorization. Are you working under the
misapprehension that you need a separate IP address per domain
name in order to turn on SMTP AUTH and enforce proper use of
identities?
excuse my jumping in, but it seems like you and Doug can't understand
each other very well :-)
no. SPF authorises an IP-address to use a domain. that IP-address
may be authorised to use several other domains as well. it can also
handle other domains which haven't deployed SPF. these domains can be
owned by different entities, and SPF offers no protection against
abuse from the entities sharing your server. in fact, they will be
fully authorised to spew junk and destroy your reputation. so you
take your business elsewhere -- but it won't help. the reputation is
tied to your domain name. the only solution is to plea with others,
to wait, or to switch domain name.
contrast this with CSV. CSV authorises a server to send e-mail in
general, its administrator claims responsibility for handling abuse
complaints in a timely manner and so on. CSV says _nothing_ about the
domains used as sender addresses in the e-mail sent out by that
server. as a consequence there are no issues with forwarding, or
people using their Hotmail address even when sending via the
university server etc. it also means that if you happen to be hosted
by an irresponisible company, you can take your business elsewhere, to
a host which may already have good reputation. the bad reputation is
left behind with the bad server.
A casual reader of the above might make the mistake of assuming
that SPF requires a static IP in order to work.
well, it does require at least one IP address per entity wanting
distinct reputation. I'd say that's pretty close to requiring an IP
address per domain, but of course that's a judgement for each domain
operator to make.
You stated a couple of times (though I snipped them for space
conservation) that you see CSV and DKIM as a valid path to
authorization, authentication, and reputation. Why do you feel
that CSV+DKIM fulfills this goal, but SPF-HELO+DKIM would not?
DKIM handles the other piece, authorising the use of the domain (or
individual e-mail address) as a sender of e-mail. this is done by
adding cryptographically secure authentication to the message itself.
this leaves the authentication to the system generating the e-mail,
either at MTA or MUA level, and it survives forwarding through a chain
of servers (although there are some caveats still being worked out.)
--
hope this helps,
Kjetil T.