Many knowledgeable people feel the same way about CBV. However, does
it
bother you more than SRS?
It certainly does to me. I don't see any reason to spend time on SRS,
since I don't have any forwards to e-mail accounts with SPF filters, and
SRS is irrelevant when sending e-mails.
That is an interesting point. When there is a signed return-path, it
is
obvious that the sender invites a CBV to verify it.
The basic needs for e-mail communications are actually quite simple and
don't need call-back verification. What most people need, is:
- Being able to e-mail with friends. SPF and Autowhitelisting in
spamassassin makes this easy.
- Be able to receive e-mails from new people you haven't e-mailed with
before. SPF/spamassassin makes a very good job at ensuring, that you
don't get spam this way. You can never protect yourself 100%, since the
definition of spam is depending on who you ask... Some people define it
as "unwanted e-mails", some as "e-mails you didn't ask for", some even
say that spam is defined by the law. There couldn't be more
disagreement.
- Be able to receive bounces. Cookies in sent e-mails are one way to
ensure, that you only get the correct bounces, so SES might be a
technique here, but CBV is not necessary.
Since SPF itself isn't about fighting spam, but about publishing
policies, I believe that the SES discussion doesn't belong on this list,
just as digital signatures like PGP and S/MIME don't either.
1) I think that SRS creates enough serious problems to make it worth
looking
at alternate schemes that don't require such extreme measures.
SRS is not extreme, and you don't need to use it for all forwards. If
you forward to an e-mail address that whitelists the forwarding server,
SRS is not necessary at all. SRS is needed in certain cases, mostly for
mail providers that want to make it easy for their customers to create
forwards. For those, SRS won't be a big problem to implement.
2) SPF checks are done at each hop in the message path.
No. It's done where it makes sense. The SPF checks don't specify where
to use it - you can be fully SPF compliant without checking for it...
Even the spftools checker doesn't check it for each hop in the message
path.
Because every site will take different actions with each SPF result
(the
standard does not even require sites to reject a message based on an
SPF
fail result), and sites will unfortunately differ in their
interpretation of
Freedom of choice... that's a good thing.
an SPF record, the final recipient can't have very much confidence in
the
SPF checks done previously.
The final recipient is human and doesn't care at all about how the
e-mail was delivered. The human just wants his/her e-mail to work well,
and wants a life where the letters SPF are related to cow and pig
diseases.
3) I like the nifty "side effect" of being able to reject bounce spam
while
still accepting valid DSN's. There seems to be little disagreement on
this.
I think that's way outside the scope of this forum.
Lars Dybdahl.