Julian, Thanks for taking the time to respond. I can see there is a huge
gap in our understanding of a simple situation. There is some hidden
assumption we don't share. Usually an example will quickly find these
hidden assumptions. Let's follow through on this.
At 12:19 PM 5/22/2005 +0200, Julian Mehnle wrote:
At 02:40 PM 5/21/2005 -0700, David MacQuigg wrote
At 06:56 PM 5/21/2005 +0200, Julian Mehnle wrote:
The example incoming commands:
EHLO mailserver7.bigforwarder.com
ID bigforwarder.com
MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com>
The current SPF-only alternative using SRS:
EHLO mailserver7.bigforwarder.com
MAIL
FROM:<bob#sales(_dot_)some-company(_dot_)com(_at_)bigforwarder(_dot_)com>
The current Sender-ID-only alternative:
EHLO mailserver7.bigforwarder.com
MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com>
SUBMITTER=bigforwarder.com
My point is that even if a receiver always checks SPF first, it won't
avoid a DNS hunt. We can't assume that the owner/admin of a
domain/subdomain in the MAIL FROM identity has published an SPF record
just to tell us which other method he/she uses.
You are valuing not having to do a single DNS lookup (in order to find out
_if_ SPF can/should be used at all) over the receiver's freedom to choose
what authentication mechanism he finds useful. This evaluation of yours
is absolutely unpractical.
I think you may still have an "SPF only" perspective on this. If the
receiver does SPF only, then your are right. The question is simply - Does
this ID have an SPF record? In general, most receivers will have available
whatever methods are popular. So without an explicit ID declaration, it
will have to hunt for authentication records in many places, like
_client._smtp.<ID>.
With an explicit ID declaration, the receiver can do one query and find out
not only what authentication methods are offered, but probably pick up all
the data necessary to do a complete reputation/authentication check.
The receiver never has complete freedom to choose the authentication
method. The ID owner specifies the methods, and the receiver gets to chose
from what is offered. My guess is that most receivers will have available
any authentication method that is being actively promoted and supported.
What if the owner of the example.com domain actually used SPF, but the
sender, who wants to abuse the example.com domain, says "ID none" (or
doesn't say "ID" at all)? What's the receiver supposed to do then?
"ID none" should be an immediate reject. I wouldn't accept mail from any
sender that says - "I know you want my ID, but I'm not going to give it
to you."
This makes your proposal 100% backwards incompatible to the current system.
I don't understand what you mean by "backwards incompatible". Older
systems will not use the ID command at all. The SMTP client will not send
this command unless the SMTP server says in it's EHLO response that it will
be accepted.
I would go one step further. I would reject any ID that is not a valid
domain name, and that would include words like "none" or even
"screw.you". I can even imagine receivers have a table of accepted IDs,
thus avoiding even one query for the typical random.spammer.name.com.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *