On 5/19/05, David MacQuigg <david_macquigg(_at_)yahoo(_dot_)com> wrote:
Looks to me like there are three possible outcomes:
1) A de-facto standard established by some large industry consortium.
2) A government-mandated standard.
3) An IETF standard.
I think you left out a possibility....in fact, reality. The only
reasons that MS decided to abuse SPFv1 records by applying SID to them
is because people weren't publishing SPF2.0/PRA records. The reality
is that SPF1 is the defacto standard.
Please understand that I have nothing against SID per se and I don't
want to come off as an MS basher. My only gripe is that they are
stepping on SPF as a standard because it is to their advantage.
The IETF doesn't want to get involved in the SPF/SenderID battle. The best
you can expect from them is no interference in how each group defines its
own method, and perhaps a standard within which all the methods can
operate. If I understand the IETF "consensus" process, any uncompromising
minority can block a standard. I expect that will block both SenderID and
SPF for many more years. And don't forget about CSV. They have a lot of
influence with the IETF, and a strong dislike of both SenderID and SPF.
How about a government standard? The FTC is considering such a
mandate. They can't force it on the world, but they do have enough clout
to break the current deadlock. They don't want to get involved either, but
Congress may demand it. If all US-based domains were required to
authenticate their email, the rest of the world would probably follow.
Looks like the most likely outcome will be #1, and we all know who has the
biggest consortium going. Let's keep this in mind as we discuss the
details of any proposed inter-operability standard. Which would we prefer,
a standard that accommodates all methods and will allow a superior method
to show its advantages, or one that allows only one method, the one with
the biggest market share?
The standard could and can accommodate multiple methods. If MS and
company had used the version that they originally said they would then
we wouldn't be having this discussion. As far as what I would prefer,
I would prefer that those who wish to use SID against SPF2.0/PRA do so
and let the SPF folks do their thing. Let the marketplace decide which
methods work.
Is there some consequence to this abuse that will be noticed by people
using SenderID, maybe some mail that gets incorrectly classified? If so,
the backlash from users will be far more effective than any protests at
some Microsoft-sponsored conference.
The backlash will be against the sender domain (ISPs, Websites, etc)
because the finger will be pointed at them as the cause of the
delivery failure. "Deny it all you want but it is YOUR mail that isn't
getting through....so it is your problem/fault!"
No - the best way for resolution is education about what they are doing
wrong which would effectively stop their deployment and abuse either
directly at the end (people will not deploy solution that is abusing
another system) or stop it from at the standardization stage.
I beg to differ. If the SPF Council wishes to control the destiny of
SPF then they need to take control of SPF and how it is implemented.
Perhaps the SPF Council should grant licensing to the use of SPF
(Algorithm,trademark and copyright) on a basis that precludes abuse of
SPF. The acronym RAND comes to mind.
People care about results, not whether SenderID abuses SPF. When I listen
to advocates of the different methods, even if I agree with what they are
saying, it makes me want to walk away. This battle is turning everyone off
and will only cause further delay.
I see people using SPF in real life all the time. So show me all the
folks using PRA? The fact is that for the average person this simply
isn't on the radar screen.
Don't give them any more time to patch their product until nobody can
tell what it is, but it is actually SPF1 in disguise. :>)
If they were doing 100% SPF1 and just called it something else for
convenience of marketing, I'd be fine with it actually and probably
everyone else here as well.
If they see only an SPF1 record, my guess is they will do exactly what is
required to get a correct result. Anything else would hurt their sales,
and they are not that foolish. Why are we wasting time speculating about
how they might screw up?
Correct result according to what? SPF? PRA? We know (go back and look
at the archives for the example I presented) that applying PRA to SPF1
records will cause legitimate mail to be rejected in some cases when
that mail would get a PASS from applying SPF to that same record. No
need to speculate. As far as MS not being foolish, somewhere there are
warehouses filled with a product called Bob. And look how the person
who managed that project got rewarded.
As I have said before, this is about politics not technical
implementation. If you feel it is politically expedient to compromise
(time after time.....That is a good Cyndi Lauper tune) that is your
perogative. Just remember that pretty much most of the compromising
(looking back at MARID, etc) has been one sided.
Mike