Even if the message was signed with PGP, S/MIME or DK, why should a
foreign ISP accept it for relay if
you are not their customer? IMHO, they shouldn't.
Why? I'm paying my provider at hourly rate for their Internet Services (read
ISP).
If they see that message is signed by valid DK (for my
user(_at_)mycompany(_dot_)com
email) they will accept it for delivery, if not signed - check if I'm valid
user and sign using key for client(_at_)ISP(_dot_)net email.
No needs for open-relay. They relay only IP's of _their_ dial-up clients.
Also SPF record for mycompany.com domain do not need to know this ISP IP
range and mail routing architecture to make email delivery via local ISP
possible. mycompany.com DNS must provide only valid public key for my email
message.
No needs to update SPF records and no needs to use SMTP AUTH/Web-mail.
No needs to maintaing mail routing information.
No more old days email addresses.
user(_at_)server!joe!router!isp!mail!dialup
I will be able to dismiss my "responsible, knowledgeable, experienced
network engineers" (rare and costly people) required to maintain my web-mail
or SPF records and keep salary savings in my pocket or use for my main
business activities.
DK can be flexible. Both signing and validation can occur on MTA and/or MUA.
P.S> FYI. My question about time requered to make changes to DNS to not get
550 was answered incorrectly or incompletely.
How many time (based on TTL) it will take to move our server to send
emails correctly without "550" retries ?
Meng answer:
"If you can plan these things ahead of time, you can arrange the TTLs to
create a seamless transition."
Jonathan Gardner AT amazon.com (IMHO, he is expirienced DNS engineer, not
everybody understand how to change DNS values correctly)
"Depends on the TTL of your DNS records. Moving HTTP servers, receiving
MTAs,
and other services experience the same problem.
What I've seen done in the past is a few days before the move, change the
TTL to a few minutes. Then, after the move, publish new records with TTLs
of a few minutes (just in case there are mistakes). After checking the
systems are working, extend the TTLs to whatever you normally have them -
24 hours or whatnot."
Both answers are incomplete. Switching ISPs is not that easy.
Not a 2 TTLs or 24 hours required to change SPF record.
Consider email message that were sent using your old ISP.
They can be kept in mail queue up to 2 days (or even longer ?!) before
actually be delivered to recipients.
This way new SPF records listing only new ISP mail server can block them.
So? SPF records change are non-trivial process that can take up to several
days.
Even expirienced DNS administrators can forget about mail queue messages.
--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua