--"Vivien M." <vivienm(_at_)dyndns(_dot_)org> wrote:
I'm not saying SPF is hopeless as such, just that deployment should not be
done hurriedly, and that in the hands of someone clueless/greedy with a
captive audience (somebody who can't switch providers for whatever
reason), SPF could hurt people. It may be that I overstated the risks of
that happening in my earlier posts, yes, particularly if end users are
flexible enough. (e.g. if you're forced to receive email to
blah(_at_)someisp(_dot_)net and reply to them using another ISP, and
someisp.net is
publishing -all and being greedy about providing SMTP AUTH, you could
just set your MUAs to send your replies from a newer, SPF-valid email and
still receive mail sent to the old address) I will admit too that perhaps
I overestimated IT department cluelessness, as I discovered in between my
previous posts that apparently one of several specific organizations I
had in mind does provide a VPN service now (though not the more elegant
SMTP AUTH) for off-campus users. And they aren't even publishing SPF...
yet?
Hey Vivien, thanks for taking the time to write that. I think we are
actually closer to agreeing than disagreeing, so I'm pleased by that.
When I first came to the list, I think I had a vague feeling that SPF could
be implemented by a number of large-scale mail receivers within six months,
and would see widespread adoption within a year. I have now been on the
list a year and neither of those has happened. They seem slightly closer
but I am not going to bet on the next six to twelve months at this point.
What SPF needs more than anything is some success stories, and large-scale
testing. Mega ISPs like AOL and Hotmail can help themselves and the
community by reporting how well SPF works and in what areas it doesn't work
well yet. I think we are at a phase where Carl's efforts will be just as
pivotal as Meng's.
But I think your concern is well-founded and I also wouldn't advise anyone
to rush into SPF and just turn it on without a lot of testing and building
up whitelists.
Constructive solution? Well... I'm not sure. If I overestimated the
boundary conditions where SPF is a disaster, then maybe you people are
right and SPF will work nicely enough. Personally, what I'd like to see
is some form of technology that can match emails to specific
three-dimensional people (some extension of S/MIME or PGP signing,
basically), but without massive government bureaucracy, regulations, and
so on, I'm not sure how workable that is on a large scale (on a small
scale, you can do it already, obviously). Then everything that isn't
matched is a forgery, no matter where it was sent from. I must admit I
know far too little about DomainKeys, but it might be a step in that
direction, except that it works based on domains rather than end-users...
I think Meng answered this well, if tersely :) Some sort of signing is in
our future. Both tools will probably end up being heavily used in the next
5 years. But of course I know by now not to try and predict the future
with any sort of accuracy.
Be well,
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>