Graham Murray wrote:
Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
I have a feeling that Sender ID will proceed with an
exclusive focus on the PRA.
Why? Having been following the Marid list for some while, I have seen
far more posts against PRA than for it. Many have posted that an RFC
2821 check, on either or both MAIL FROM or EHLO, needs to be made. So
it should not proceed with an exclusive focus on PRA.
My opinion is that anything in DATA can't be trusted, and the only way
it will be trusted is if the entire message is signed (SSL or PGP) at
the source MX - after AUTH. I would have to think that SSL is easier to
carry out logistically. A CRL would make negative databases much more
impressive.
Of course, then you get into the business and overhead of signing
messages, and only relaying/receiving valid messages. Keeping the
signatures tied to the server and not the end user provides a bit more
privacy, and makes it a bit more transparent.
Doing SPF checks on EHLO/MAIL FROM before DATA seems to be working well.
The PRA algorithm seems kind of odd and tedious to me, and I go back to
DATA can't be trusted.
Take care
Waitman Gobble