-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
AccuSpam
Sent: Friday, August 20, 2004 2:59 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Opening Debate on SPF vs. SenderKeys
So far (and my viewpoint is open to change from discussion), I
see SPF and DomainKeys as the most efficient solutions to stop
all forgery from dedicated domains, such as ebay.com,
wellsfargo.com, etc. that are victims of phishing. This is
because for example in SPF, the protected domain can be marked as
"-all" (assuming the corporation creates another domain for it's
employees who are not restricted to use corporate mailservers),
which means one can very efficiently block all e-mail for that
domain not coming from the approved mail servers.
This has been extenstensively discussed on the list. Without creating
another domain, entities with complex situations such as you describe can
deal with them effectively with the exists mechanism.
However, for personal and small organization domains, as well as
for ISP domains, it is not going to be practical to get them all
to declare "-all", because of the varied use of email. Imagine
the personal domain owner having to coordinate with his ISP or
Host to setup a way to SMTP AUTH on the server, having to upgrade
and configure his email program to interface with the type of
SMTP authentication supported by his ISP or Host (there are
several flavors of SMTP authentication, e.g. POP before SMTP,
etc.), then having to fight with ISPs that block ports or other
incompatibilties that are bound to occur with moving to
authenticated SMTP (which I think is highly underestimated
because it involves two extremely variant variables- clients and
servers). Besides the forwarding complexity of SPF (SRS) would
give DomainKeys the upper hand in terms of end-user complaints in
this wider market, but DomainKeys is more effort for senders to
adopt (more than simple DNS change).
I'm one of the people in that catagory. It's worked out ok for me. Have a
look if you doubt:
http://us.mirror.menandmice.com/cgi-bin/DoDig?host=&domain=kitterman.com&typ
e=TXT&recur=on
As I domain owner and sender I have effectively told the rest of the world
how to determine if messages from my domain are a forgery. It took a while
to figure it out (I used ~all for a couple of months until I was sure). The
forwarding problem really isn't mine as a sender. Receivers who process
will need to whitelist any non-SRS compliant forwarders they have.
I am in the process of switching to a new DSL provider. This morning it
took me less than 5 minutes to figure out how to update my record.
I am also in the process of making changes to accomodate customer
encryption/authentication requirements. That took a lot more effort.
Whereas, with SenderKeys, the ISP or personal domain user, simply
responds to a enticement e-mail and upgrades his email program
(MUA).
How would your approach work for me when I'm connecting from my Palm OS
based telephone. Is there a patch for the MUA I use there?
http://www.snappermail.com/palm/email/
Oh, and an update to Squirrel Mail that my domain host (yours too as it
happens) uses for webmail would be appreciated too:
http://www.squirrelmail.org/
The upgrade might even happen automatically (as part of
an OS upgrade) before the user ever sees an enticement e-mail,
because I only know of one email address in all the ones in my
businesses that ever received bounces due to being forged--
forgery is (luckily) not yet that widespread, so if we act soon,
most users will never know they were being forged. And
compatability with servers is assured, because SenderKeys expects
no changes in SMTP usage.
Clearly your experience is different from mine. I get hundreds every day.
Most of the people on this list are in a similar boat.
So I view SPF and SenderKeys as complementary. They each solve a
different problem. I think SPF is actually more important
initially because the phishing of big corporate domains threatens
to undermine the use/trust of e-mail for corporate communication.
Then why are we comparing apples and oranges. SPF is anti-forgery. You
seem to be saying that your solution is anti-spam. It probably explains, in
part, why you've been hard pressed to get a discussion about the comparison
going.
But SenderKeys is more important long-term, because until we can
know with certainty that a spoof of an ISP domain is forgery,
then we can not do better anti-spam than assign an additional
probability to the e-mail that fails SPF. With SenderKeys, we
can delete the forgery with higher confidence. And spammers are
not doing too much existent forgery now, but with domain
reputation anti-spam like AccuSpam, they will be forced to.
Other than to respond to the "Enticement" e-mail, how do you determine what
is/is not a forgery?
So my philosophical summary is that SPF is important for
corporate dedicated domains (server MUA), it gives a probability
metric of forgery for ISP domains, it will have very low market
penetration for personal domains and we need SenderKeys to take
over the rest. SenderKeys will be more effective anti-forgery
solution for any human sender who uses a client MUA (email
program instead of a server) and uses his/her email program with
freedom and without the constraints and complications of
dedicated mail relays and complex forwarding "From:" address munging.
As a small domain owner, I disagree. SPF is great from my perspective. It
allows me to protect my good name. I don't really need it to protect myself
from spam. SpamAssassin is doing a very nice job of that for me.
If I could read a technical spec on SenderKeys, then I might have an opinion
about it. The web page just doesn't explain things in enough detail.
Scott Kitterman