At 05:29 PM 5/12/2006 +0000, Julian Mehnle wrote:
Scott Kitterman wrote:
> As one of the "List Moms" for the spf-help list I get a weekly status
> report on subsciption status for that mailing list. It's been hanging
> just under 1500 subscribers for the last 6 months or so. Since the
> subscriber base tends to turn over (people subscribe, get their
> questions answered, and leave) I've figured that a level subscriber base
> is indicative of a steady rate of growth.
>
> Now I wonder:
>
> http://www.google.com/trends?q=SPF
>
> Note that (at least when I went to the page) the two most recent
> referenced news articles are not about our SPF. I don't think this
> trend is good.
All you're basing your doubts on is <http://www.google.com/trends?q=SPF>??
Media exposition sure is a contributing factor to SPF's success, or
"momentum", as you put it, but I don't think it is a good _indicator_ in
our case.
SPF is a grass-roots technology which best propagates whenever someone
calls his mail admin and asks why this "SPF" thing has blocked his mail.
That sort of thing raises awareness with admins (and thus domain owners)
more than a media article or two or ten (not necessarily positive
awareness at first, I know, but as long as the facts speak for us, it'll
be positive in the long run). Compared to that, adoption by the 100
biggest ISPs only helps so much.
The message to senders and their clients needs to be not "SPF has blocked
your mail", but rather, "Your sender's lack of authentication has put your
mail in an "untrusted" folder. It may or may not be read by the recipient."
I admit that pressure actions, such as AOL privileging mail from SPF-
equipped domains, help a lot, but I'm not sure how much we can influence
that. Should we try to approach big ISPs directly? The question with the
big ISPs anyway is why they don't consider SPF a valuable solution to a
real problem. Lack of awareness can't be the issue among them, can it?
(BTW, I have had private contact with tech representatives of the largest
Belgian ISP and of one of the largest US banks earlier this year who said
they were deploying SPF. So there _is_ movement, it's just not always
visible on the surface.)
And don't forget that according to various recent studies and news
articles, the volume of SPF records has grown to ~3 million by now.
Are these legitimate senders, or mostly spammers? More relevant statistics
would be what percentage of messages offer SPF, and of those that do, what
percentage are legitimate mail. I would like to see some typical numbers
plotted month by month. I would be glad to help with that project, but we
need to monitor one or more typical, large mailflows. My own system is too
small, and has a larger than average percentage of spam.
> I am not a PR guy and I have no idea how this PR stuff works, but I
> think we need some.
I agree.
Let's see what media response the upcoming announcement and press release
bring. After that, I think we should concentrate our PR efforts on a
grass-roots "Spread SPF!" campaign as I said during the last council
election.
I'm very interested however how others see this issue.
I think domain owners are well aware of the need for authentication, and
more PR won't help. What is needed is an economic reason for them to offer
authentication, a "business case", as Scott would say. We can't reject
mail from senders who don't cooperate, but there is a third alternative
besides accept or reject. When senders and their clients become aware that
their mail is being "greylisted", or in some way treated as less
trustworthy than authenticated mail, that should be sufficient reason for
them to take action.
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com