At 04:30 PM 9/3/2004 -0400, Meng Weng Wong wrote:
On Fri, Sep 03, 2004 at 01:38:48PM -0400, guy wrote:
|
| 2. SPF records are optional. This is crazy. Maybe for now, but again, by
| say 2006 SPF should be required. MX records are required (I think) to
| receive email. So there is nothing wrong with having a requirement to send
| email. Sure, not today, but sometime in the future. Also, the SPF record
| should become a new record type, and stop using the TXT record at some pint
| in time. After all, most domains never process email.
|
perhaps we can say "after X date, in the absence of an SPF
record, we will assume a/24 mx/24 ptr -all"
In my experience, you can say that only if you want an unacceptably high false
positive rate on those who do not publish "-all".
I do not think this is necessary. The requirement is inherent. If a domain
owner is losing too much $ due to phishing, then they will set "-all". If they
do not set "-all", it is because the costs of doing so, outweigh the benefits.
So it scales itself, no need to place artificial requirements. Instead, our
role needs to be to educate more. I already see there are misunderstandings
within even the "experts" in this discussion list about what SPF and SenderID
can and can not do, which in turn may lead some, e.g. banks, to think that
SenderID is for example more of a predictable anti-forgery than SPF.
It is also increasingly clear to me that the end result of SenderID is to
change the standard for e-mail headers, to give Microsoft the authority to say
"what is correct implementation" for anti-forgery (via the license
requirement), and thus to give Microsoft a way to fork the internet and defeat
GPL.
I can now see why large institutions support SenderID as the standard. I bet
are more confident that Microsoft can fork e-mail into a predictable result for
anti-forgery. That is a scary thought.
Off topic, a friend of mine who is more into conspiracy theories than I am, has
often suggested that the largest companies actually are responsible for most of
the spam. I do not see enough non-circumstantial proof. They make $ from it
(bandwidth sales, routers, etc) and it is not implausible that a large company
could use spam (noise) as a way to get one's way in the market. Unfounded food
for thought only...