spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: web page on sender ID

2004-11-08 18:06:41
from [mholm] [Permanent Link] 
Frank Ellerman wrote:
mholm(_at_)medrad(_dot_)com <mailto:mholm(_at_)medrad(_dot_)com?Subject=Re:%20%5Bspf-discuss%5D%20Re:%20web%20page%20on%20sender%20ID> wrote: 

/> I expect he is right and I got it wrong. /

That's not the case. It's one of the few hard MARID results,
that Sender-ID cannot abuse existing v=spf1 sender policies,
because it's semantically different and incompatible. That's
why they switched to spf2.0/pra for PRA, and after PRA failed
in the "internal last call" the essential part of classic SPF
was added as spf2.0/mfrom.
If I count myself as 1/2 vote, that makes 1 1/2 votes that I was right the first time and 1 vote that I got it wrong. 


Frank also wrote:


/> Many domains will not experience problems from the use of /
/> their spfv1 records by SenderID. /

Almost all domains would suffer badly from the abuse of their
v=spf1 records by Sender-ID, unless they stay away from many
mailing lists, moderated newsgroups, broken MTAs, well behaved
MSAs enforcing submission rights without modifying the DATA,
forwarders implementing SRS, and other potential problems.
Frank is pretty adamant about this. I really don't know. On this, I was taking my cue from Wayne because he suggested that language (somebody else's, with perhaps some elaboration by me) suggesting problems are likely from spfv1 record reuse was an overstatement at best.
That makes clear one of the strongest current points about SenderID. The darned thing hasn't been tested enough, or at least the test results haven't been made public. Nobody knows, from an actual experiment, how much trouble it may cause. Using Hotmail to do the experiment may give a nice big sample size, but it is a bit risky. At least MS bears a big chunk of the risk. Then of course there is the problem that MS is not likely to make unedited data available.
The obvious thing would be for somebody to throw together a SenderID clone, good enough for logging purposes, and run it on several servers to get some clue what might happen. At least that much shouldn't cause license concerns! I wish I could do it, but honestly, I can't. Probably AOL is doing exactly that, but likely won't make their data public either. 

Mark Holm
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Action based on SPF Organization Poll, Frank Ellermann
Next by Date:  Re: Action based on SPF Organization Poll, wayne
Previous by Thread:  Re: web page on sender ID, Frank Ellermann
Next by Thread:  Re: web page on sender ID, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]