spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Moving Forward ...

2004-10-14 12:32:04
from [Rand Wacker] [Permanent Link] 
To echo what Carl said, the open source and commercial customers that
Sendmail supports are very worried about the uncertainty in the
authentication space elongating the adoption.  Someone posted to the list,
"if we do X, then Microsoft has won," but the problem is really that right
now the only people "winning" are the spammers!

Since we were some of the first to suggest that a convergance of SPF and
Caller ID would be a net win for Internet users as a whole, we have
continued to work with both groups, as well as folks working on
DomainKeys, CSV, BATV, etc.  Our latest set of open source milters we've
released for testing support both Sender ID, and SPF Classic, as well as
DomainKeys.

The more we have worked with major sites to help spur adoption of these
very important technologies, the major concern that everyone has (both
senders and receivers) is the confusion of multiple record types and
changing standards.  The bulk of the Internet mail admins don't have time
to follow this list closely (I'm sure its a strain for many of us to keep
up with all the different traffic on the 8-odd lists that deal with these
different issues).  They are looking for consistancy and a clear direction
of what to do, and they want the tools that are going to give them the
best experience for their users.

As such, people are going to be authenticating *both* the envelope and the
headers.  I would urge /this/ community to think about ways that they
could provide backwards compatibility for RFC2822 From: checking, as this
is clearly the desired goal of large sites that are publishing nearly
identical records.  The easiest way to do this is to do From: checking
against the already-published spfv1 records (as well as envelope
checking).

Please, please, PLEASE, consider modifying the old protocol to include a
modifier that would allow people to specify "only apply to envelope", or
consider moving to the most recently proposed spf2.0 record that has scope
indicators for mailfrom, pra, and possibly add from/sender and/or helo.
Senders who publish multiple scopes are not at any risks from any pending
patents, and it will give the receivers the information they need to best
help them decide to accept your mail.  Separate the PRA scope out in to a
separate document and leave it for Microsoft to flog at their will, if you
wish.

Several major Internet players have asked you for these changes, either
directly on this list or by their publication of multiple records.  Please
consider their requests.

-Rand
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: 2.3 Checking Authorization, David Brodbeck
Next by Date:  RE: Unrecognized Mechanisms and Modifiers, guy
Previous by Thread:  RE: Moving Forward ..., John Glube
Next by Thread:  RE: Moving Forward ..., John Glube
Indexes:  [Date] [Thread] [Top] [All Lists]