>However, the DNS record for each domain itself is manageable by >anyone who has a domain.
Exactly. Therefore, SPF information permitting email to come from any source is publishable by anyone who has a domain. So now, instead of spammers sending emails saying they are from yahoo.com, they'll send emails saying they are from some.other.site.in.china, which you might or might not have ever heard from before, which might or might not be legitimate. Or they'll send emails saying they are from buncha.roaming.users.com, which publishes SPF information saying their users can send email from almost anywhere. Or they'll send emails via zombie machines that exploit the fact that those machines are configured by naive users to legitimately send email from buncha.winboxen.dsl.com. That's at least three ways in which spammers will be able to forge emails that SPF will either not detect as forged, or will have to be configured to generate lots of false positives (reporting as forgeries emails that are not in fact forged). >Having mail that relies on DNS isn't worrysome. The thing has to figure >out where to route it anyhow - it is already dependent on DNS. But only to go in the outbound direction (except for bounces, which aren't implemented usefully enough to help spammers anyway). SPF adds a dependency on DNS for the *inbound* direction as well, so now a whole extra set of DNS lookups are performed for each and every email exchange, assuming an SPF-complete Internet email system. And those inbound lookups are controlled not by the population of local users whose system performs the lookups, but by anybody who can reach that system from outside. >If speed is an >issue then it is usually wise to run a cacheing server on the mail host. Caching doesn't help, rather it hurts, when there is insufficient locality of reference. (I believe I've made this point before, several times.) >It is true that SPF use isn't widespread. But ISPs with large consumer >bases such as AOL and Earthlink have set it up. And thousands of other >domains have it. Soon they will actually use it to determine if mail >will pass through. They _may_ be using it now to (partially?) assign a >spam score, that is not documented anywhere that I currently know about. "I have a photo ID. My friends all have photo IDs. And millions of other people have photo IDs. Soon everyone will actually use them to determine if conversations between people will occur. They _may_ be using them now to assign a spam score....". At what point will *you* begin refusing to communicate with anyone without first checking their photo ID and determining if they are who they appear and claim to be? >So, from my point of view, this is a system that gives domain owners a >choice to publish and what to publish, and people with mail servers a >choice whether or not (and how to) use the information. That's certainly true. -- James Craig Burley Software Craftsperson <http://www.jcb-sc.com>
