>I pretty much agree with you. But please don't discount the importance >of a thing such as SPF. This thing is a decentralized, self-configured >way[...]
Isn't SPF dependent on DNS? If so, it's not really decentralized, is it? (At least, I wouldn't describe DNS as "decentralized"; it's more like a distributed data base with some degree of local control over portions of the data base that provide local information to all users of the data base.) AFAICT, the problem with SPF isn't so much the publishing of one's own local records, though for some sites that *is* a practical problem. Instead, the problem occurs when an incoming email requires an SPF (DNS) lookup for a *remote* site. At that point, the fact that DNS is ultimately centralized and must be queried in a manner that provides some degree of trustworthiness for the resulting data implies a potentially fatal bottleneck for email deliveries involving SPF (or DomainKeys) lookups. However, until SPF is sufficiently widely deployed to expose this bottleneck, the bottleneck will be little more than a matter of speculation, so SPF will appear to "work" until that point. (But, until that point, how useful can it really be in stopping or substantially slowing spam and vermin without generating lots of false positives?? After all, it won't have yet been widely deployed, and it isn't terribly likely enough sites will choose to publish information *without* also doing SPF lookups for most or all incoming email, unless SPF is redefined to be an end-user-triggered means of determining authenticity of important-looking mail, in which case it ceases to be much of an anti-UBM measure and becomes more of an anti-fraud measure.) -- James Craig Burley Software Craftsperson <http://www.jcb-sc.com>
