I have been reading this discussion with interest.
A couple of questions:
* Why should it be necessary to place any form of prefix in
front of the a record mail server mechanism in the
published SPF record of a particular domain?
I ask this because my understanding is that when I publish
a record for mydomain.com which states simply:
"v=spf1 a -all"
I am saying only mydomain may send email from the noted
mail server, or do I misunderstand the situation.
Why should I have to go further and write:
"v=spf1 +a -all"
I ask because I understand the default prefix is + unless
otherwise stated, so by saying "v=spf1 a - all"
am I not saying:
"v=spf1 +a -all"
* As to the whole issue of responsibility, catching
spammers and so forth, after referencing SPF, Caller-ID and
DomainKeys, the Federal Trade Commission made the following
comment in its report on the feasibility of a National Do
Not Email List:
"It should be noted that these private market proposals do
not authenticate the identity of the person sending an
email. In other words, if a message claimed to be from
abc(_at_)ftc(_dot_)gov, the private market proposals would
authenticate that the message came from the domain
"ftc.gov," but would not authenticate that the message came
from the particular email address "abc" at this domain.
Nonetheless, domain-level authentication would confound
spammers’ ability to engage in spoofing and to send
messages via open relays and open proxies, enable ISPs to
deploy more effective filters, and provide law enforcement
with an improved ability to track down and prosecute
spammers."
(see page 12 of the Report.)
Is this not a reasonably accurate assessment of where the
market place may well be with wide spread implementation of
domain authentication?
And if not, I would be most grateful to understand why not,
if people feel inclined to respond in detail.
A couple of reasons:
* I think it is important for industry to be both pragmatic
and realistic in its expectations.
* It is useful to understand the potential issues, not
because I want to turn this into an attack on SPF,
Sender-ID, CSV or any other proposal on the table.
Rather, one of the issues with both the Submitter concept
and the PRA algorithm which now form part of the MARID
document series before the IETF is there has been no
significant testing "in the wild."
It might be helpful, if we could move forward with
developing testing models and then approaching the big
emailers (like Amazon) and ISPs like AOL to see if we can't
get some large scale results.
This would be helpful in assessing the real world validity
of the modifications proposed in the MARID document series.
* Also, one of the suggestions put forward on the IETF
mailing list was to call on "verifiers" from the greybeard
list to go through the MARID documents and express their
comment and views.
Since the issue of "SPF and Responsibility" tends to go to
the core question of industry expectations, I am interested
to know what steps if any have been taken along this path.
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.718 / Virus Database: 474 - Release Date: 09/07/2004