On Sat, 2005-08-27 at 12:00 -0700, william(at)elan.net wrote:
But if reuse of spf1 records is really realy the only way for MS
and it wants to continue, then the only possibility for negotiation
I see is to get it part the way for both sides. This would involve:
1. MS agrees to change its draft and only use positive results of
SID verification on v=spf1 records (but not fail, softfail or
results if record is absent) and that for negative results real
SPF2.0 record would be needed.
This overlooks a problem related to abuse-feedback techniques accruing
to "Sender-ID verified" identities. An erroneous positive verification
based upon a PRA, unchecked by the sender perhaps due to licensing
issues, could be a serious concern. These SPF records are public and
outbound servers are often shared.
Neither of the path registration schemes provide domain protection at
shared servers. Even with MTA checks to mitigate domain spoofing at
shared servers, these checks may also be limited by the same licensing
issues.
This retains a need to understand the assurances made by the sender with
respect to the scope of the record, and is unrelated to how a failure is
handled. Assume the miscreants will know what passes.
-Doug