From: Michael Hammer
Sent: Monday, October 25, 2004 9:20 AM
<...>
Seth,
I'm using your posting to this thread as the starting point for my
reply. While you are correct in saying "Your MTA, your rules", I think
that is a pretty narrow view.
Yes, you're right. I was being rather gruff, and what I should have said is
something like, "RFC's are voluntary standards, and no one can force anyone
else to comply with them. If you don't comply with them, that may cause
delivery failures which will create pressures to comply, but ultimately,
each organization can decide it's own policy." Having said that, I believe
that anyone who ignores the community standards (RFC's) in a way that breaks
mail transport for legitimate parties without a reason that most other
people would accept is conducting a rogue operation. I would hope the other
participants in the cooperative email system would recognize and treat them
as such, but very often, mail delivery trumps this, if the offender is large
and stubborn enough.
Perhaps a concise way to put this would have been, "Your MTA, your rules,
your consequences."
I also view what Phillip wrote as troubling.
Yes, and this is quite understated. This is potentially a very serious
problem. I would hope that Phillip, and VeriSign, reconsider their
position. In light of the very strong support for spfv1 not being
interpreted according to the PRA algorithm, this would put anyone who
insists on interpreting spfv1 records according to PRA rules into the
position of an uncooperative member of the community.
I would pose this question to Phillip: exactly why do you, and presumably
VeriSign, find it necessary to interpret sender policy records, published
under one explicit set of rules, under a completely different and
incompatible set of rules? If MARID had come down in favor of PRA being the
algorithm of choice instead of what it finally did, surely you would expect
the rest of the community to honor that decision and would pressure anyone
who didn't to comply. In light of this, I urge you and your company to
cooperate with the overwhelming support in the technical community for spfv1
not being improperly interpreted in the context of PRA. This would be very
good PR for VeriSign. Given a number of recent incidents where VeriSign and
the larger technical community have been at odds, this would be a very
desirable development.
<...>
Mike,
I agree with the rest of your post. That is the position we will all be in
if any large organizations decide to act as "spoilers". While it is
possible for a large organization, by refusing to cooperate, to wreck an
open standard, it works against their long-term interests and is not
advisable. Alienating the half a million domain owners who have published
spfv1 records, some of them very prominent, under the assumption that they
will be interpreted according to spfv1 syntax and semantics, is not an
action that should be taken lightly by anyone.
Cooperation is a win-win in this case. It makes a strong statement that
your priorities are in stopping the global spam epidemic. Digging your
heels in and refusing to cooperate does not make that statement, no matter
how big you are or how correct you feel your solution is.
--
Seth Goodman