Does any one have anything substantive to say about SPF vs. SenderKeys?
I'm skeptical about the true viability of an MUA based system. Many of
the people who admin large email bases, (that I know of) use non-windows
based mail clients, often console based like Mutt, or Pine, and many use
Mac Mail. Another large group use web based email like Squirrel, or
IMP, for their own setups.
Are you going to provide the patches for all these different mail
clients to use SenderKeys? Or are those of us who use such "low
marketshare" clients left out in the cold?
Thank you! Finally some interesting factual debate.
This is good point.
However, consider that supporting "-all" for SPF (in order to give SPF similar
anti-forgery power) for all domains is also going to require upgrades to all
MUAs in order to integrate with many different flavors of SMTP authentication
at many different servers. At least with SenderKeys, the integration for MUA
is very well defined and very simple and uses existing protocols. The MUA
simply POPs (or IMAP) the SenderKeys auto-response, stores the private key and
uses it. STMP and POP see SenderKeys as just another e-mail, no compatibility
issues as there will be with SPF:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0670.html
Additionally the best answer to your question and the one SPF folks will like
the most, is that we always have SPF not "-all" to fall back on :)
We need both SPF and (something like) SenderKeys (see link above).
It seems to me that the ratio of MTAs to MUA's is pretty low, so
that makes me think that an MTA based system, which is transparent to
the consumer, is the right way to go
Until you contemplate that only "-all" in SPF really solves forgery of ISP and
personal domains, then you realize you have to upgrade all the MUAs, as well as
the MTAs. (Rhetorically) What happen in computer science when you change
multiple things simultaneously?
Answer: more things break.
For those small-shop
admins who don't have the experience to implement a solution themselves,
there are communities like this list in which there are a number of
people who are more than willing to help anyone implement a solution
that makes ALL of our lives better.
People who buy "myname(_at_)myname(_dot_)com" are not even close to being a
"small-shop admins". They know how to buy a computer and click "Send" in
Outlook and that is about it. They relay their email off their ISP (partially
because they have to because ISPs now block port 25 to outside SMTP)...but
there are many more ramifications to discuss...more than I can summarize
here...just be sure that you are thinking from the perspective of a sys admin,
not from the perspective of all those small domain owners.
Besides even for an ISP domain, where the DNS and mail server changes are
centralized, all the ISP's customers still have to upgrade their MUAs, have to
configure their MUAs for SMTP authentication, and even after all that, they
still have forwarding issues with SPF and they are now locked into their ISPs
SMTP, which might break if they login via another ISP which blocks port 25 (say
they are using POP before SMTP method), or erroneously blocks port 587, etc..
There are so many possible pitfalls, it is impossible to fathom them all...
Whereas, with SenderKeys the user simply downloads and installs a patch or
plugin from their vendor. Simple in comparison.
Changes to MUAs requires *everybody* to upgrade their MUA. Changes to
MTAs require only service providers to upgrade. It will be similar to
the battle to have open relays closed
SPF with "-all" does not escape this problem.
We have to get "-all" some way. What is easier, SPF "-all" or SenderKeys? If
you analyze with open mind and carefully, I think you will come to the
conclusion I did after 2 years of careful thought process:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0670.html
Shows a 2002 timeframe began thinking about these issues:
http://www.google.com/search?hl=en&q=nilsimsa+shelby&safe=off&filter=0
Thanks,
Shelby