I've been thinking about what the best way for SPF to reach critical
mass is. There clearly is a chicken and egg problem with adding SPF
records being useless unless they are checked, and checking for SPF
records is useless unless they exist.
It has been mentioned before that places like eBay and banks may well
be interested in using SPF, and I completely agree. In fact, I would
suggest that these folks may well be some of the best early adopters.
There was a segment on NPR just tonight about how there are phishing
scams from brokerage firms. There certainly is enough phishing of
citibank and paypal going on.
Financial institutions do not have a huge number of people sending
email from them, so the forwarding and travelling mailman problems are
less. They may well be willing to reserver certain domains for
"customer" email. While initially there won't be much benefit from
them, they may well be receptive to "fudiciary duty" type sales
pitches. Publishing SPF records is a reasonable and prudent step they
should take to protect their good name.
ISPs with lots of customers may not be willing to publish SPF records
(even very loose ones), but if we can get financial institutions to
publish SPF records, we may well be able to convince ISPs that they
should check for them in order to help protect their customers.
Folks that complain about their domains being hijacked by spammers are
good targets to deploy SPF records, but I suspect that most of them
are going to be too small to add up to much. Suggesting to them to
start using SPF doesn't hurt and spreads the word, but I don't think
it will get us very far.
People who develop challenge-response anti-spam filters may be
receptive to using SPF since there is a big problem with these systems
sending challenges to the wrong folks.
Universities and such initially struck me as being hopeless targets
for deploying SPF, but that may not be true. For student accounts,
publishing SPF records might be something seen as controlling abuses.
Governmental organizations may well be interested both to "protect
their good name", but also to "protect the taxpayers from government
employee waste".
I really don't think we need to reach a huge percentage of domain
owners publishing SPF records in order to interest people in checking
them, and once the checking is reasonably wide spread, we are set.
Not all emails are equally important
Ideas?
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡