If I get a lot of PASS email from a SPF-enabled domain that ends up being
classified as spam anyway, then I can calculate my own probabilities of
(spam given domain, by domain) through my own receiving-server experience.
I could see major ISPs publishing these things
5% of SPF-verified email from free-viagra.example.com was classified as good
95% of SPF-verified email from major-software-vendor.example.com was
classified as good
etc. where the %s are absolute %s on a black-white scale or weighted
averages on a gray-scale.
So the numbers could be based on observed feedback rather than "made up."
If you have enough marketshare of internet e-mail, then yes you could measure
the spam rate of a domain that got past SPF. In fact, AccuSpam does this. The
problem is the smaller the e-mail traffic from domain, then more internet
e-mail marketshare (larger sample) you need to get reliable numbers.
The other thing to note is that you are measuring spam, not forgery. So you
will never know which of the spam was forged and which was a customer of the
domain. But I guess that does not really matter, if you ultimately you are
only interested to answer the question "is this spam?" and not "is this
forgery?".
The real problem with this is that unless someone is going to collect and
publish that data, then every receiver may be using a different and erroneous
number.
So yes if someone, other than owner of domain, wants to offer this data then
sure that would be best.
I just thought starting with the owner of the domain, who has a some data on
what his customers are doing, might be a good place to start. It might give
confidence to owner of domain that s/he knows what probabilities are being
applied to his customers when they are not using the designated mail servers.
This might help spread adoption of SPF.
If you all do not think so, then so be it.