"David Brodbeck" commented
On Thu, 22 Jul 2004 11:14:14 -0700, Jonathan Gardner wrote
Everyone, eventually, will have to publish positive assertions. The
'?' and '~' covered servers will be the last resort for spam.
So if you have a shared MTA, and so can't publish +, does this mean SPF isn't
for you and you're better off not publishing at all? I'm starting to wonder.
It seems like we're heading towards SPF being the exclusive province of
bigger players who don't go through a shared MTA.
You can use a shared MTA if you have faith that its operator will not let
messages be forged as coming from your domain. In the simple case this would
imply:
1) The MTA requires the MSA to authenticate itself (i.e. you have to submit your
userID and password) before it will let you send anything,
2) The MTA then checks that that userID is permitted to send a message the
domain that the message purports to come form.
Exanple:
I have a personal login myaccount(_at_)isp(_dot_)co(_dot_)uk(_dot_)
I want to send a message with a Return-path: of
someone(_at_)ourvanitydomain(_dot_)co(_dot_)uk
If my ISP were to
(a) Require me to login as myaccount(_at_)isp(_dot_)co(_dot_)uk
(b) Validate the associated password
(c) Check in its tables that myaccount(_at_)isp(_dot_)co(_dot_)uk does indeed
own
ourvanitydomain.co.uk
(and if I generally trusted their integrity and process quality)
than I would be prepared to publish a '+' in the ourvanitydomain.co.uk SPF
record against their outbound servers.
As it happens my main ISP does none of the above, so I _dare not_ use a '+'.
The strongest I could use is a '~', i.e. a public statement that I cannot trust
my ISP to protect my domain name against forgery.
Am I happy? No.
Have I contacted my ISP to ask them for their plans to implement SPF _and_ the
associated MTA security? Yes.
Did I get a reply? No, nothing.
Am I planning to move my 'vanity' domain (actually our village community domain)
to a new mail service? You bet!
And as I now get my broadband access from a different ISP, that will be the end
of my business with that first ISP - revenue gone.
As Jonathan Gardner said an hour or so ago, SPF is 'sheer genius' because of
the dynamics it will create in the market..
Just wait 'till SPF goes 'public' and there are press articles telling small
busineses just how exposed they are to having mails in their name forged, and
giving them the above checklist to see if _their_ ISP is now protecting them.
Think what fun all those ultra-cautious corporate lawyers will have once they
understand just what the problem /opportunity is.
I think there will be a mass migration onto 'safe', SPA-friendly mail services -
especially as the smaller the pool of unprotected domains, the more likely they
will be joe-jobbed.
This is really going to sort out the good ISPs from the bad.
What self-respecting business is going to make a public statement to the effect
that 'I buy my mail service from someone who takes no steps to prevent others
from forging messages in my name"? For that is what using anything other than
'+' will be saying.
Once the core value of SPF is understood, there'll be no stopping it!
(Hope I'm right)
Chris