[Asrg] SPF and other bad ideas

[Dotzero]

On Mon, Jan 19, 2009 at 3:31 PM, Gordon Peterson <gep2 at terabites.com> wrote:
>> I know, someone's going to tell me that SPF breaks forwarding. Well email
>> is already broken. I get up to a million spam messages into my domain daily.
>> Everything we do to prevent spam causes problems ranging from additional
>> load on our DNS servers to loss of important emails. The
> question is, are we going to fix it? I think what I'm proposing would at
> least allow people to do safe whitelisting
>
> SPF breaks more than forwarding.  It also harms people who occasionally need
> to send messages from kiosks, Internet cafes, cruise ships, international
> post offices, and other inhabitual locations elsewhere.
>
> I object to people expecting people to implement braindead, ill-conceived
> antispam strategies, just because "well, they would be efficient, if they
> worked right, which they don't."
>
> I agree that E-mail has serious problems, but the way to solve that isn't by
> putting into effect stupid, ill-designed, broken ideas just because you WISH
> they worked reliably.
>
> It's not enough for them to work just "some of the time",

Sure it is. But not in the sense you are using above. For example, the
domains I have implemented strong SPF assertions for are website
domains where with only a handful of exceptions the accounts are all
role accounts associated with the functioning of the websites. For the
handful of accounts used by individuals, policy is that they are not
allowed to send mail from anywhere except our environment.

The only breakage case in this instance is where a recipient is using
a vanity domain and/or sending the mail on to another account of
theirs without using something like SRS. Based on experience, the
tradeoff is a small fraction of a percent of the email with this type
of problem versus a very very large number of people that can be
afforded additional protection from phishing attacks because the ISP
or Mail Admin can identify mail that originates from us vs mail that
purports to be us.

If an enduser wants the flexibility to send from Kiosks or through
other MTAs and their company or mail provider allows this by policy
then the use of strong SPF assertions is likely inappropriate. My
response to you is the old saw about the person who goes tot he doctor
about a pain.... "Doctor, it hurts when I do that" ...... and the
Doctor says..... "Don't do that".

>IF they also break
> legitimate, reasonable uses.  At least not unless the intended recipient
> grants **informed** consent.
>

Whether or not the use is legitimate or reasonable is certainly a
matter for discussion. The use of SPF or DKIM is not a MUST. It is a
MAY and whether it is appropriate for a particular domain or user is
something that must be considered. If the owner of the domain chooses
to implement these approaches and you as an individual are unhappy,
then you face some choices. If it is company policy you can try to
convince them to allow you to send email from wherever you want or you
can conform....you might even choose to quit on principle if you feel
that strongly about it. If you are a customer of an ISP/mailprovider
you have similar choices except that quitting is not likely to reduce
your income.