From: Koen Martens
Sent: June 18, 2004 10:08 AM
RE: [spf-discuss] FTC: we need sender authentication before "Do
Not Spam" can work
"However, we then run into the definition of
'sollicited'. For some, entering an email address
in some web form means solliciting for email, but
if there is no confirmation whatsoever (eg. by
requiring an email confirmation) chances are
that people will put someone else's email address
in that web form."
Yes, this is a separate kettle of fish. There are
two parts:
* Disclosing in advance to the person what type
of material the person is signing up to receive;
(This has now become a legal requirement in the
US when dealing with commercial email, although
it is good business, no matter what type of list
you are operating.)
* Confirming the person who signed up actually is
the person who signed up. On this point, one
potential benefit of SPF (at least in theory) is
that it may cut down on incidents of "joe-jobs."
I gather it is not able to eliminate this
problem, due to certain limitations in confirming
authenticity when someone obscures their identify
through the use of forwarding email services,
although I may be mistaken on this point.
"I mean, if you're a normal reputable non-spam
entepreneur, you can publish SPF for your bulk
email sending server, use proper envelope from
addresses, etc. I don't see a problem?"
This is the core reason why I got involved with
the spf discuss and help lists.
I run 3 newsletters. Two are verified opt-in. One
is confirmed opt-in.
Due to general delivery/filter issues with email,
some subscribers have been complaining about not
receiving notice of publication.
(I usually send out a short note, publishing each
issue online, having recently added the feature
of a PDF upload when appropriate.)
I realize SPF is an anti-forgery tool. But by
publishing a 'classic' SPF text file in DNS for
my domain, I am hoping this will make it easier
for receivers to recognize my identity.
I appreciate this is only part of the process.
One also needs to have a third party vouch for
your credibility. However, that process is really
outside of the scope of this discussion.
Like many other people, I want sender
authentication to work, as I believe by making
people accountable, this will help to bring
abusive 'Net behaviour under control.
John
P.S. Having published my own text file after
gathering the required information, etc., etc., I
now want to understand where all this is headed,
while gaining a reasonable grounding in the
technical aspects as people are beginning to ask
for guidance.
Folks whom I have sent to the SPF site suggest
you need to be technically trained.
My own view is we should be able to make the
process simple enough so most people can do it.
This will in turn enhance widespread acceptance.
John Glube
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.701 / Virus Database: 458 - Release Date: 07/06/2004