On Tue, 22 Feb 2005, David MacQuigg wrote:
Bouncing the way they always have is no good, because return paths can be
forged, Received-SPF headers can be forged, anything can be forged except
Return path is not forged when sender publishes (a non-trivial) SPF
record and receiver checks it. That is the point of SPF.
If senders don't publish a useful SPF and get bounces from forged
return paths, that should motivate them to publish.
the IP address of the immediately previous forwarder. By bouncing only to
that address, we don't need to depend on the headers.
You're reinventing the SRS wheel.
You're also reinventing the SPF wheel. You do you know precisely which
IP adresses actually belong to the previous forwarder? Call them on
the phone? What about when the list changes?
stalled. When Microsoft comes out with SenderID, no doubt there will be
efforts to stall it. Either method will work, but neither will work if
SenderID attempts to authenticate header From and competes with
DomainKeys. Different animals. We need those other layers also,
but that is not what SPF is addressing. SPF is the consensus of 3 or 4
preceding MAIL FROM validation systems (more history at spf.pobox.com
and other sites). There are no serious contenders with SPF for
MAIL FROM validation except proposed extensions (unified SPF, SPF2 which
include separate HELO scope among other things) which are generally
compatible, and SES (where the sender signs MAIL FROM) which is
also compatible and complementary.
SPF works just fine, and will continue to be useful for those who
publish/check it regardless of whether it every becomes universal.
Before SPF, you could verify that an email was really from your
business partner by comparing the IP against a list. The list was
maintained manually, and required a phone call when the IPs changed.
SPF automates the chore of publishing lists of IP addresses
authorized to send email for a domain. This is an extremely useful
function regardless of the latest SPAM fads or general adoption.
If people would just think of SPF as an automated IP list publishing
framework for email senders instead of all this FUD about SPAM and
disrupting email.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.