spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Trying to specify SPF Classic? (Was: draft: SPF community's position on MARID closing

2004-09-27 08:43:40
from [Stuart D. Gathman] [Permanent Link] 
On Sun, 26 Sep 2004, Stephane Bortzmeyer wrote:


I agree but, in the mean time, SPF Classic is the one being
deployed. Wouldn't it be a good idea to have two related but separate
efforts, one to produce SPF Unified for the future and one to specify
accurately SPF classic ? The current Internet-drafts on spf.pobox.com
are unmaintained and contain many errors. Starting from the last
-protocol draft of MARID, which seems very close from the current SPF
records, would allow an Experimental RFC describing SPF Classic to be
out quite fast.


Yes, this would be very worthwhile - and not even as hard as belling
the cat.  It would also be very helpful to the SPF Unified group in
ensuring backward compatibility / smooth upgrade.


I suggest also to have a separate mailing list devoted to that
description of SPF classic, with a clear charter, describing the
*current* SPF, without any "improvment", while spf-discuss would
continue to develop SPF Unified.


As the maintainer of some SPF checking code and publisher of SPF
records, I would like a mailing list or website where I could check
for changes I should make now as opposed to brainstorming about 
future improvements.

Random thoughts:

My vision for the future is that there would be a number of authentication
methods, including the IP based one (only works for first hop and 
is problematic for those forced to use ISP MTAs), SES (hash cookie
in MAIL FROM which can be verified via SPF exists or SMTP or special
purpose UDP protocol), Domain Keys (expensive encryption, problematic 
message digest).  The SPF record would publish which methods
the sender is implementing.  A mail receiver would accept any of a list of
implemented methods as authentication according to local policy.

SPF classic already allows the SES method in addition to the IP method
via exists.  I would like to see official modifiers/mechanisms in future
SPF versions explicity mention implemented authentication methods other
than IP based.  I am very sold on publishing sender policy via a DNS
record like SPF.  I am not so sold on IP based authentication working
for everyone.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to define SPF for a domain with 115 distinct IP Addresses, Stuart D. Gathman
Next by Date:  OT: all this talk of debt, Ryan Malayter
Previous by Thread:  Trying to specify SPF Classic? (Was: draft: SPF community's position on MARID closing, Stephane Bortzmeyer
Next by Thread:  Re: Trying to specify SPF Classic?, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]