|| ||David Woodhouse <dwmw2-AT-infradead.org>|
|| ||[Fwd: MARID to close]|
|| ||Thu, 23 Sep 2004 12:09:10 +0100|
I don't think I've seen you comment on this. The MARID working group
which was looking at the possibility of standardising something based on
Microsoft's SenderID or the equally fundamentally flawed SPF has
Strike one for sanity :)
The problem with SPF and SenderID was that they made flawed assumptions
about how the world works -- in particular with respect to forwarding.
They each put forward a plan to make their assumptions come true, but
they required that _everyone_ out there should upgrade to make it all
Even if that were a realistic plan, their 'fix' was to make all mail
servers rewrite the 'responsible' address when forwarding mail, to take
responsibility for it themselves. When all mailservers are doing
something like that, it becomes _only_ a way of checking how much you
trust the individual mail server which is sending you the mail.
For example, my server could send a mail claiming to be from
... which _looks_ like it was from email@example.com, but via one of my
servers. You have no idea; you only know how much you trust _me_.
And it _is_ all about trust. With spammers publishing SPF records to get
themselves a 'pass' you had to look up the domain in a
blacklist/whitelist -- some kind of trust database.
But given that SPF/SenderID could only really manage to work out a trust
level for _one_ hop -- the mail server which was actually sending you
the mail -- there was no point in what they were doing, and no point in
all the breakage with forwarding. You might as well have done it based
on the HELO instead, without breaking the whole world while you're at
So let's let SPF and SenderID rest in peace.
Now it's time we got together and fixed up a real end-to-end solution
for verifying mail ownership, like DomainKeys or IIM.
In the interim, if you want to be able to stop receiving bounces to mail
you didn't actually send, try BATV. It's fairly trivial to implement and
it's unilateral -- you can just _do_ it and nobody else needs to know or
to post comments)