ietf-mxcomp
[Top] [All Lists]

Re: [spf-help] Re: SPF and SenderID

2005-07-21 15:43:00

Alan DeKok <aland(_at_)ox(_dot_)org> wrote:
Kjetil Torgrim Homme <kjetilho(_at_)ifi(_dot_)uio(_dot_)no> wrote:

in fact, they will be fully authorised to spew junk and destroy your
reputation.  so you take your business elsewhere -- but it won't
help.  the reputation is tied to your domain name.

So your reputation doesn't recover when you move the domain elsewhere?

   Exactly. A 60-day review cycle is considered fast.

contrast this with CSV.  

Which does something else entirely, so comparisons aren't really
appropriate.

   Comparison of effects _is_ valid...

it also means that if you happen to be hosted by an irresponisible
company, you can take your business elsewhere, to a host which may
already have good reputation.  the bad reputation is left behind
with the bad server.

And no one, of coure, will make the connection between "bad IP" and
"your domain is at that IP", so it will be impossible for anyone to
decide that the IP's bad reputation will affect your domain's
reputation.

   True, various reputation services _will_ screw things up in any
way we can imagine, and some we can't...

Where SPF ties reputations to domains, CSV ties it to IP's. 

   There's really no basis for such a statement.

   CSV contains a well-defined structure for reputation services.
Authorization is _by_ the domain of the HELO string, and _of_ any
actions of the MTA using that HELO string. The IP address(es) are
only for authentication that he MTA using that HELO string is one
operating under the control of that domain.

   The absolutely clear intent of CSV is to provide information
showing authorization and authentication by a _domain_ -- not by
some ISP which assigns IP addresses.

   CSV cannot stop reputation services from tieing reputation to
IP addresses, but the information it provides is tied to domains.

Since domains are hosted at IP's, it's not a terribly large leap of
faith to use CSV to tie reputation to domains, too. 

   It is no leap at all: CSV information shows a responsible domain
(not a responsible IP address).

And CSV can't prevent this leap, so we can guarantee that people will
be using CSV to affect domain reputation.

   Thank you. That is exactly our intent.

At that point, much of your argument against SPF applies to CSV.

   I'll let others judge that. I read Kjetil's argument to be that
with SPF, your reputation will not quickly recover, and will inhibit
email "From" your domain for quite a while, whereas with CSV the
reputation which will suffer is that of the MTA sending it, and you
can immediately send email "From" your domain through a different
domain's MTA.

   (Since the MTA is generally not visible to readers of your email,
they will be unaware of any change.)

--
John Leslie <john(_at_)jlc(_dot_)net>