Tracy R Reed wrote:
kelsey hudson wrote:
Certainly. SPF is flawed-by-design. Anyone who's implementing it
should reconsider.
Do you prefer/endorse domain keys?
While I don't implement them, I think I did some research into domain
keys and found their implementation more acceptable. I can't immediately
recall the details from the top of my head ... ok, now you're forcing me
to google so I don't sound like a moron.
http://ietf.org/rfc/rfc4870.txt -- DomainKeys, Mark Delany, Yahoo!, Inc.
Basically, the gist of it is that MTAs will sign messages for which they
are authoritative. The big benefit to it, and why I found it acceptable,
is that it puts the control of *the domain owner* to set the policy
rather than the owner of the recipient domain. This is done in the
_domainkey TXT record. So, if the domain owner says, "all mail from this
domain *WILL* come through these servers and MUST be signed" then the
recipient domain should act on that policy (well, has to to be RFC
compliant, but as RFC4870 isn't a standard of any kind, YMMV). If,
however, the domain owner says, "mail with signatures is genuine, but
I've also got people who send mail from off-site and their messages may
not be signed" then the recipient server can take that into account when
it receives the message as well. So, signed mail can be immediately
accepted; unsigned mail will still go through the same rigamaroll of
spam filtration and whatnot before it's deemed "genuine."
Overall, it's a system that's better thought-out than SPF, which merely
*requires* all mail to go through "authorized" servers. SPF isn't
scalable for organizations that grow above a certain size: the number of
allowed sending domains grows large, thus decreasing effectiveness and
causing an administrative headache. Unless, of course, you're required
to do something silly like force use a webmail client or connect to a
VPN to send email. It's no small wonder why Microsoft is a big proponent
of SPF: this is *exactly* how Exchange works.
Yahoo! created DomainKeys, and did so with compatibility and
extensibility in mind. As its implementation is in just about every
major MTA now, it might as well be standard, and it's one I can find a
lot more acceptable than SPF. This isn't to say DomainKeys is perfect;
on the contrary it's not an end-all solution at all (and even by
Yahoo!'s own admission!). It's just one that doesn't impose draconian
restrictions on who can and cannot send email purporting to come from
domain XYZ.
-Kelsey
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
