spf-discuss
[Top] [All Lists]

Re: Opening Debate on SPF vs. SenderKeys

2004-08-20 16:53:45
This has been extenstensively discussed on the list. Without creating 
another domain, entities with complex situations such as you describe can 
deal with them effectively with the exists mechanism. 


It is not just me.  If you doubt it, then get a major ISP to set "-all" and see 
what happens.  False positives will be flying every where and the "-all" will 
be removed faster than you can say "whoops".

Do you want to detail more factual scenarios?  I think if you dig through all 
my posts already in this thread there are numerous examples.

The key point is an ISP will never know what it's senders are doing with their 
MUAs.  There is no mechanism in SPF confirm and set "-all".

And for personal domains, most people just are not savvy or have 2 months to 
figure it out.  Many struggled just to figure out how to register a domain and 
get email to come and go from it.  People are not going to go through the 
hassle when they are not even getting their address forged yet.  And when they 
do go through hassle someday, then you will have many cases where novices screw 
up, their email breaks *SILENTLY* and SPF is going to make a lot of people 
pissed off!  I do not think that will happen, because I do not think people are 
going to every embrace SPF in wide scale.  SPF will be more for dedicated 
domains like corporations and as a line of first defense (no "-all" but at 
least we have 90%% indication of forgery).


How would your approach work for me when I'm connecting from my Palm OS 
based telephone. Is there a patch for the MUA I use there? 

Why not?  What makes s/w different on Palm than on any other device with IC 
chips inside?  You can upgrade s/w on Palm.

But the bigger point is you do not have to use SenderKeys.  Unlike the "-all" 
on a major ISP proposition for SPF, with SenderKeys it will not be forced on 
you.  You can use SPF if you prefer.  That makes me just as happy.  What ever 
people want to use that works for them is great with me! :)

Oh, and an update to Squirrel Mail that my domain host (yours too as it 
happens) uses for webmail would be appreciated too: 

Just like PHP gets updated when they find a security flaw.  Upgrades actually 
do happen in this universe.  My mom says "upgrade" is an "oxymoron" though :)

Thanks,
Shelby




<Prev in Thread] Current Thread [Next in Thread>