I just thought starting with the owner of the domain, who has a some data
on what his customers are doing, might be a good place to start. It might
give confidence to owner of domain that s/he knows what probabilities are
being applied to his customers when they are not using the designated mail
servers. This might help spread adoption of SPF.
Doesn't this go back to your original problem, though? You were
claiming that ISPs would never publish ~all or -all because customers'
mail might get bounced.
Agreed if replace "never" with "contemplate risk of".
But if an ISP publishes a probability of
forgery other than 0
You mean other than 0.5?
In probability theory, 0.5 is neutral.
, they're taking the same risk -- except that the
results are less predictable.
More predictable, if they publish the correct #, because you are forgetting
there are 2 sides to this "seesaw", on one side is false positives (not
forgeries caught) and other side is false negatives (true forgies not caught).
If they publish less than 0.5, then they put their customers at less risk of
false positive (when those customers use different mail servers) but they
increase their chance of being forged and lowering their reputation.
Vice versa if they publish greater than 0.5.
All the mail might not bounce; it might
bounce at some sites and not others, or bounce unpredictably, depending
on the way the probability is used locally.
No probability can not be thought of anecdotally like that.