- From: James A. Donald <jamesd@echeque.com>
- Date: Sat, 17 Jun 2006 13:34:02 +1000
- To: practicalsecurity@hbarel.com, public-usable-authentication@w3.org
--
Why SPF and DK are not being used:
Obviously, domains have no incentive to use SPF and/or
DK unless email recipients filter on SPF and DK
But users do not.
Largely because they cannot. There are no filter tools
that make good use of SPF and DK information. There are
filter tools, but they are research demonstrations,
rather than actually useful in reducing the spam in my
inbox.
What the filter should do, is as part of Bayesian
filtering, observe that some messages get marked as
spam, and others as ham, and conclude that if some mail
that provably arrives from certain domains is ham, all
mail that provably arrives from those domains is
probably ham, generating a list of known good domains
which it then uses to guess which emails are ham. It
should also observe what domains usually provide
evidence that email came from the domain it appeared to
come from, and conclude that email without such
evidence, purportedly coming from a domain that usually
provides such evidence, is probably forged, therefore
probably spam. SPF and DK information needs to be
integrated with all other available information for
filtering mail.
The widespread deployment of such filters would give
mail server administrators reason to support SPF and DK.
They would DK their outgoing mail in order to get their
domain on the known good list. At present they have no
such incentive, and so are not supporting SPF or DK.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
CAbCqOSgym8Up02XNnb1alzFW4VBYsBpa/7xjkfS
4pjb+C/KVowMqXdI49IgPIpZ4kB3ulWsslp3qz+jm
Received on Saturday, 17 June 2006 03:34:11 UTC