From: Rik van Riel
Sent: Wednesday, September 15, 2004 3:24 PM
On Wed, 15 Sep 2004, Seth Goodman wrote:
This gigantic loophole can be closed by using an adjunct
protocol along with SPF that does end-to-end validation
of forwards. SES is one such protocol.
But if you have such an end-to-end validation, why should
we bother with SPF in the first place ?
Confused...
It's a confusing situation. From a purely technical standpoint, an
end-to-end protocol like SES could be used instead of SPF for MAIL FROM:
validation. From a practical standpoint, here's what SPF has that no other
current protocol has:
- a solid year of hard work by hundreds of participants
- numerous implementations tested leading to improvements
- widespread evangelizing of SPF to peers and the media
- nearly 100K domains with published SPF records
- several major providers _expect_ to use SPF
- more progress through the IETF process
Though SPF does have problems due to its hop-by-hop authentication, it is
going to be adopted, unless something very surprising happens. SES does fix
the most serious problems with SPF, which are its breakage of forwarding and
its inability to validate the originating sender on forwards. It also
throws in forged null-sender rejection as a bonus and gives SPF back the
joe-job protection we all came here for in the first place.
SPF using SES as a forwarding mechanism is a very synergistic solution. It
appears to be a win-win for all concerned: senders, recipients and
forwarders. No changes to SMTP, no changes to SPF classic for direct
delivery messages (the majority) and SES only comes into play when there is
a forward or a bounce. By giving very strong authentication of the
originating domain, it lays the groundwork for proper authentication of the
2822 headers. SPF has extensibility to expand its scope in that direction,
as long as we steer clear of PRA.
If anyone wants to seriously consider using an end-to-end protocol like SES
as a replacement for SPF MAIL FROM: validation, that would be an interesting
discussion. Unless you called the end product SPF, it would create
confusion and get in the way of adopting something in a reasonable time
frame. From a purely technical standpoint, IMHO, SES is a superior protocol
for return-path validation than SPF. Like most real problems, we don't have
the luxury of considering only technical issues.
--
Seth Goodman