spf-discuss
[Top] [All Lists]

RE: Eric Allman comments on SPF

2003-12-04 09:45:14


Hallam-Baker, Phillip wrote:

The way I would deal with this is to get the big ISPs 
together in a room
with the filter companies and run through the available options.

I think that the problem Libbey is raising here is a much 
more general
network configuration issue. Thats OK we can address that a 
number of ways. 

This suggestion also raises the bar for adoption.  The current SPF
proposal is, "Add this record to your DNS server."  That's easier than
"Designate an engineer to attend a series of working group meetings,
and if those meetings go well, you won't have to redesign your mail
infrastructure to work with this new system."

We don't need engineers from every major ISP, just one or two.

The problem with decorating the specification to meet this group's needs is
that they are the first group you have met. You do not know how many other
groups you are going to meet asking for decorations. If you are successful
that number will certainly not be zero.

If all we are going to do is mx record look up then why do we need SPF at
all? I can do an mx record lookup without any additional specifications.


SPF's biggest risk, practically its only risk, is that it'll never
achieve critical mass.  It has to be as easy as possible for domain
administrators to pick up.

There is a second risk, that we will not be able to extend it to add
functionality. By functionality I mean make a statement about a mail sender
other than providing DNS based authentication.

For example I would like to be able to add into a domain information that
says 'I am accredited by Ironport, check here'. The ability to advertise
accreditation through the DNS allows much stronger statements to be made
than authentication alone. It also means that the market for accreditation
services can be made open, you do not need to be a well known brand to start
offering accreditation services. Filtering systems with feedback systems
will very quickly determine what the correct degree of weight is to apply to
a new accreditation service.

I would also like to extend beyond just using DNS based authentication. I
would like to be able to say 'we authenticate all outgoing mail by S/MIME',
or 'this mail server always accepts STARTTLS if offered (for SSL
transport)'.


As for the extra overhead of MX lookups, if you, the administrator of
domain X.Y, are getting hammered by MX lookups, you can decide not to
use the mx mechanism for domain X.Y, and use ip4 or 6 instead.  That's
independent of what any other domain does.

The problem is not the mx record lookup, the problem is how far you go down
the slippery slope to featuritis.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>