In <200506030359(_dot_)39012(_dot_)bulk(_at_)mehnle(_dot_)net> Julian Mehnle
<bulk(_at_)mehnle(_dot_)net> writes:
Remember what you said before:
| > I always thought that authenticity was all about being able to take
| > something for what it appears to be.
|
| Indeed it does.
So, are you saying that I can apply reputation to an identity _without_
being sure that the identity was used with its owner's consent?
I dunno about Alex, but I would answer your question with "yes".
As I said on #spf-council last night:
<grumpy> Authentic means that it isn't forged. We can't say that. We
can say that the probability of it being forged is low enough
to be acceptable to the domain owner to allow authorization.
I don't think this is an area where we can make black and white
distinctions. There is always going to be some uncertainty and gray
areas. Even if both the Sender and the Receiver like to see things in
black and white terms, they are likely to interprete anything we write
in different ways. Natural languages just are not precise enough.
It will end up being the market place of email senders/receivers that
determines how much accountability can be placed on all of the SPF
results, not just Pass. Both Senders and Recievers will have to
evaluate the risks of their actions, and some legitimate email will
almost certainly be lost, and some abusive email will make it through.
I don't think this is something that we can make as exacting as we may
all like to do.
That would be like you blacklisting mehnle.net because spammers have
joe-jobbed me multiple times.
Well, there are DNSBLs that will do that right now and some people will use
those DNSBLs. Heck there are even DNSBLs that, IMHO, do such stupid
things as list people who have a CNAME to their MX host and people
who, IMHO, do such stupid things as use those DNSBLs to make hard
rejects of email.
Such is the world of email in the 21st century.
-wayne