However, consider that supporting "-all" for SPF (in order to give
SPF similar anti-forgery power) for all domains is also going to
require upgrades to all MUAs in order to integrate with many
different flavors of SMTP authentication at many different servers.
Most server software supports SMTP AUTH, though it isn't always
switched on. Most clients also support SMTP AUTH. There's no need to
support multiple systems. The only other common system I'm aware of
is POP-before-SMTP, but that's pretty crude and I'm not sure it really
counts as authentication. It doesn't require any special MUA support,
though. ;)
I agree. I don't see this as an issue. People that aren't using SMTP
AUTH are just plain crazy IMHO. I have had it set up on my systems for a
good long time.
Thought you were going to let me signoff and get some sleep :)
"Crazy" maybe, but do not f**k with their email. Because I can bet you that
99% of people do not use AUTH, just as 99% probably do not even use APOP and
send their mailbox passwords in clear text.
One thing I learned from making anti-spam is that users do not give a s**t
about your technical goals, if you delete their beloved greeting card, you are
going to be deleted from their life.
What is troubling is that a _widely_ used client doesn't like to AUTH
with a decent mechanism. At least it does SSL.
Considering that most users (and many ISPs) haven't even graduated to APOP
even...when we know that with wireless any student with some freeware can sniff
your password...
Thanks,
Shelby