In <3665928296(_dot_)20040606115457(_at_)pobox(_dot_)com> Chris Drake
<christopher(_at_)pobox(_dot_)com> writes:
* Convince Ebay to not forge email addresses. (They could due SRS,
for example, or to collect any bounces themselves.)
I *like* the way that my emails through eBay hit the recipient with my
address as the "From" - (they are not figuratively "forged" - I typed
the email in through their web site in the 1st place remember).
If you like the way eBay works, you should either not publish an SPF
record for your domain or you should use your SPF record to authorize
the eBay mail servers to use your domain.
It is wrong to try and force other people to do what *we* want,
especially when what they're doing is perfectly reasonable.
No one is forcing anyone to do anything. SPF *allows* domain owners
to have a voice to communicate with email receivers and lets domain
owners express how they would like their domain names to be used.
Domain owners don't have to speak and email receivers don't have to
listen.
However, if a domain owner says "I only want the following IP
addresses to be able to send email claiming to be from my domain",
what right does eBay have to use that domain name anyway? If the
domain owner uses their new found voice to say stupid things, who are
we to stop them?
I say we should build something extra into the system so that...
A) If the actual sending MTA did forge an address, the receiving
SPF-enabled code can make a check to decide whether or not to allow
this.
As mentioned in my first reply to this thread, email receivers already
have a "local policy" option on several SPF implementations that allow
them to decide if they want to allow eBay's wide open use of all
domain names. The "local policy" option generally has a short-cut
that allows the checking of the trusted-forwarder.org global
whitelist.
B) Add an *extra* SPF field into the spec so that people who want to
forbid this "authorized spoofing" (example: an online bank) can do
so if they're utterly convinced that nobody should ever send mail
as them.
That is already up to the domain owners. eBay could, if they chose,
help out by publishing an SPF record that domain owners could include:
in their SPF record.
And keep in mind - 99.9% of admin people are going to say "nobody
should ever spoof mail from my domain - period." - and 99.8% of them
are going to be wrong because they didn't think about eBay, PayPal,
greeting cards, web-based office tools, legitimate mailing list
companies, 3rdy party survey organizations, and a load of other legit
things.
I suspect that far more than 0.1% of the domain owners will consider
things like greeting cards and such to be unacceptable use of their
domain names.
Mailing lists already work just fine with SPF.
I'm not sure what you mean by web-based office tools or 3rd party
survey organizations, but either they are authorized by the domain
owners, or they aren't.
ISP's don't
want to tell their customers "it's not our fault you missed out on
some auction, it's eBay who refused to obey our new rules who is to
blame"
ISPs that don't give their customers resonable options will find
themselves in trouble.
For a very long time, domain owners have had no voice in how their
domain names are being used. Yes, a large number of people/companies
have come to depend on being able to ignore the wishes of domain
owner. That doesn't mean that these people/companies have some right
to do whatever they want. Smart people/companies will either get
permission for what they are doing or change.
-wayne