At 04:11 PM 10/20/2008 -0400, Stuart D. Gathman wrote:
>On Mon, 20 Oct 2008, David MacQuigg wrote:
>
>> Long-term, we need a way to motivate senders like Yahoo to publish their
>> authorized IP addresses. We cannot reject their messages, but we can send an
>> SMTP reject with a message like: "Sorry! We cannot guarantee delivery of
>> this message. yahoo.com does not offer sufficient authentication to prevent
>> forgery. We will run it through our spam filter, and keep it in our
>> quarantine, but the recipient may not read it."
>
>Actually, yahoo *does* provide DKIM authentication. The problem is that
>DKIM requires receiving the entire message first. We want them
>to provide SPF in *addition* to DKIM.
>
>> I think most senders will comply after seeing a large number of these
>> messages. Yahoo may be special, however, since they have a vested interest
>> in a competing protocol. We've got to sell the idea that its not either-or,
>> but *both* protocols are needed.
>
>Exactly. DKIM handles 2822 header fields. SPF handles 2821 envelope.
>The protocols are complementary, not competing. SPF is super cheap.
So do we have enough "clout" to get Yahoo's attention? My mailflow is way too small, but I'll bet if everyone on this list who manages a mailserver, starts sending reject messages like the above, we'll get some action, or at least a response.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
>On Mon, 20 Oct 2008, David MacQuigg wrote:
>
>> Long-term, we need a way to motivate senders like Yahoo to publish their
>> authorized IP addresses. We cannot reject their messages, but we can send an
>> SMTP reject with a message like: "Sorry! We cannot guarantee delivery of
>> this message. yahoo.com does not offer sufficient authentication to prevent
>> forgery. We will run it through our spam filter, and keep it in our
>> quarantine, but the recipient may not read it."
>
>Actually, yahoo *does* provide DKIM authentication. The problem is that
>DKIM requires receiving the entire message first. We want them
>to provide SPF in *addition* to DKIM.
>
>> I think most senders will comply after seeing a large number of these
>> messages. Yahoo may be special, however, since they have a vested interest
>> in a competing protocol. We've got to sell the idea that its not either-or,
>> but *both* protocols are needed.
>
>Exactly. DKIM handles 2822 header fields. SPF handles 2821 envelope.
>The protocols are complementary, not competing. SPF is super cheap.
So do we have enough "clout" to get Yahoo's attention? My mailflow is way too small, but I'll bet if everyone on this list who manages a mailserver, starts sending reject messages like the above, we'll get some action, or at least a response.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com