On Wed, 9 Jun 2004, Seth Goodman wrote:
I like the idea of calling them "layers". I will be able to keep the
RFC2821 layer (spf-v1) and anybody willing to put XML parsers into their
MTAs can use the RFC2822 layer (spf-v2 + cid).
I can appreciate the benefit of the two layers. However, requiring XML to
do the 2822 checks may well doom it to failure. I think you phrased it well
when you said, "anybody willing to put XML parsers into their MTAs", and
that is not a very large group. I would like to see 2822 checks happen, but
think that relegating them to XML will prevent deployment. If you really
want 2822 checks to happen, I would suggest not requiring XML for them. If
you really _don't_ want 2822 checks to happen, then please make an argument
for that, but don't put an albatross around its neck in the form of XML that
will kill it indirectly.
My theory is that the XML 2822 checks can happen outside the MTA. WAIT!
Before anybody screams about bogus bounces to innocent domains,
suppose that layer 1 checks are a requirement for bouncing or dropping
a message that fails layer 2 checks after accepting the message.
Wouldn't layer 1 still prevent sending all the bogus bounces to innocent
domains?
Preventing bogus bounces is the most important feature of layer 1 for
me personally. I am the postmaster for 40 domains, I get thousands of
bogus bounces every day. If anyone ever sends a legit mail to postmaster at
any of my domains I will likely never see it. On the other hand, randomly
sampling and following up the bounces is a great way to spread the SPF layer 1
gospel. I have had at least 6 postmasters around the world take my
advice and publish SPFv1 with a promise to look into checking it for
incoming mail (which is the only way my bogus bounce load is going to go down.)
It doesn't cause me any personal pain when the 2822 data that end users
see is spoofed, so it is hard for me to get as excited about it. But
I can see the importance of enabling it.
So the RFC should require one of these options concerning the SPF layers:
1) Support layer 1 only
2) Support layer 2 only, BUT must verify and reject before the
message is accepted.
3) Support both layer 1 and layer 2. In this case, layer 2 checking
can be postphoned until after the message is accepted.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.