From: Meng Weng Wong
Sent: Saturday, July 03, 2004 8:03 PM
To expand on the Unified SPF concept shown at
http://spf.pobox.com/slides/unified%20spf/
In these slides, you suggest first looking for reasons to whitelist the
message before looking for reasons to reject it. The justification you gave
was the Linux hobbyist who is running an MTA on a dynamic IP line. This
bothers me a little because:
1) Do we really want the preferred deployment Unified SPF to enable people
to violate their ISP's AUP's? This is hardly adoption incentive for ISP's.
Feeling a rare bit of sympathy for ISP's as well as my own inbox, I don't
see why we should help anyone sending mail from a dynamic IP. _Most_ people
on dynamic IP's are not capable of running MTA's. As you pointed out,
without accreditation and reputation services, we can't tell this guy/gal
from a spammer. We certainly shouldn't provide a mechanism that trumps the
ISP's AUP. It's their netblock, after all, and they're responsible for its
use.
2) We shouldn't be building anything that _requires_ accreditation and
reputation services to function reasonably. This could easily mean real
money paid to large companies, which is not what SPF is about. For people
who want to pay for enhanced information to make better decisions on which
messages to accept, terrific, but let's not make it a requirement to reject
basic forgeries.
3) Since most email today is forged junk, it would require less processing
if we first look for reasons to reject rather than to accept. As long as we
aren't trying to enable the delivery of mail from Linux hobbyist dynamic
IP's, this shouldn't present any problem.
--
Seth Goodman