On Sat, May 21, 2005 at 02:40:07PM -0700, David MacQuigg wrote:
Senders do not "use" SPF, domain owners do.
My point is that even if a receiver always checks SPF first, it won't
avoid a DNS hunt. We can't assume that the owner/admin of a
domain/subdomain in the MAIL FROM identity has published an SPF record
just to tell us which other method he/she uses.
We also cannot assume that the domain owner didn't, even if
the actual sender tells us not.
The point is that we cannot accept anything in the mail session,
unless it is verified by other means.
SPF does just that: it queries the domain's DNS.
SPF has another advantage over ID. It does not need change in
the SMTP protocol whereas adding ID does. Should ID make it
into a spec, we can verify it in, say, twenty years. We need
something yesterday, not in twenty years.
The most costly hunts will be those that check every possibility and find
no authentication records at all. A spammer could even maximize the load
by making sure every identity had the maximum number of subdomain levels
to search.
Right. So a spammer is going to pretend to be a forwarder and
somehow manages to make us believe (using ID) that the request
is legitimate. The spammer has control over what we are going
to check, in stead of the domain owner.
But this is all off topic. ID is not in the SPF proposal and
I don't think it belongs there nor do I think it is going to
be in it. It simply cannot work, not in the near future at
least. I wish you luck with your id-discuss mailing list and
may even join it once SPF is fully operational.
Good bye.
Alex