Please make sure this helpful and on-topic post gets posted to list.
Very important improvement for SPF suggested below!
Do you see AOL or Earthlink, which both have SPF records, actively
preparing their users for SMTP authentication?
Have you done any estimates on how much $$$$ it might cost Earthlink to
upgrade it's *millions* users?
Has any cost analysis at all been done on SPF "-all"????????
No cost analysis from me. I'm just a small ISP. For AOL its easy: AOL
10.0 Earthlink would be similar. They spend millions littering mailboxes
and TV screens nationwide, maybe even worldwide with advertisements and
CDs. Either one is capable of painless user upgrades to ease the
transition. In fact, it would help push their portal services to move
off-network customers to their browser based mail client.
Has any one confirmed this with them?
Because I am an Earthlink subscriber since 2000:
coolpage(_at_)earthlink(_dot_)net
And I know you do not have to install the Earthlink software to connect via
Earthlink and use your @earthlink.net e-mail address. I can post to the list
from an Asian ISP right now if you want me to prove it?
Note also that Earthlink was formerly MindSpring (and many others), and all
those were not using an installed software package, so those (millions?) legacy
users may still not be using the Earthlink software package.
Note that many (most?) large ISPs (at least afaik in USA) were made via
acquistions. There userbase is not as uniform as if one were to assume all
their users were signed up today.
It is dangerous to make assumptions without verifying them, especially when you
are talking about millions of users per ISP then by Murphy's Law there are
going to be cases you did not expect.
Remember that publishing SPF records does not help the publisher. Most
people have a problem with receiving forgery, not sending it.
I'll agree that publishing does have a direct effect on recipients, but
there is also a great benefit in protecting the reputation of forged
domains.
You mean "does *not* have direct effect" I assume (typo above)?
Agree on benefit of reputation protection, but my point is has a cost/benefit
analysis been done for the large ISPs that really matter in terms of SPF's
adoption?
Thanks for letting me input. I will stay on topic and factual. I am not
trying to hurt SPF. What I want is for us to be *brutally* realistic and try
to think of ways to get SPF adopted in large ISPs.
I have a suggestion. I claim no ownership of this and it may have been
mentioned before.
How about we add a new option to "all" mechanism, which instead of "?" or "-",
then ISP can declare a percentage, which is the probability that reach that
point in the rule is a forgery???
I think this would go a long way to making SPF more useful for deleting spam.
I think this would help Spam Assassin, and it would give the ISP more control
over what the SPF rule does. This will give a very low cost and high benefit
option to large ISPs while they transistion to "-all".
Thanks,
Shelby