Meng Weng Wong:
To satisfy all of the above views, I would like to pursue
the following approach with Sender ID:
v=spf1 originally applied to mail-from.
v=spf1 now applies to helo as well.
v=spf1 will in future apply to PRA also.
Senders whose PRA and mail-from configurations are
identical need only publish v=spf1. This describes the
vast majority of senders, particularly those with control
over the Sender header.
I like this approach. A lot of the work we did to define Unified SPF was
an effort to include other identities that might often have the same
policies as mail-from, or at least would benefit from using most of SPF's
mechanisms.
I see Sender ID as totally in the spirit of Unified SPF. As an early and
strong advocate of Unification, of course I want to see Sender ID do well,
because if Sender ID does well, Unified SPF will probably do well too.
Now, to be clear, I don't like Microsoft much at all, and their patent and
other behavior stinks. I would like to see Sender ID do well, but I will
probably not use it myself, unless their license is somehow fixed. But,
this doesn't change my stance.
If I were to take a page from the MS playbook, the page that comes to mind
right now is "embrace and extend". Even if I will never buy Sender ID from
Microsoft, I would still like Microsoft to buy SPF and use it. In other
words, even if Microsoft is the only one eating Microsoft-brand dog food,
at least they are getting some (most) of their raw materials from us.
Senders whose PRA and mail-from configurations are
different can override using an spf2.0 record.
Receivers who interpret PRA scope MUST read spf2.0
records.
Receivers who do not see an spf2.0/pra scope MAY
substitute with a v=spf1 record.
Senders who do not believe that PRA is useful at all can
ignore spf2.0. If their mail is rejected because their
v=spf1 record is interpreted according to PRA rules, they
should set up an spf2.0/pra record containing only ?all.
Sounds reasonable.
So, even if nobody here likes Microsoft and nobody here
likes PRA, those are the reasons I think we should specify
spf1 to include PRA, and we should specify spf2.0 to allow
explicit PRA scoping.
Yes. We could even leave it open-ended and say "whatever scope anyone else
wants to invent, that's OK too".
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>