Re: Why SPF and DK are not being used from James A. Donald on 2006-06-17 (public-usable-authentication@w3.org from June 2006)

From: James A. Donald <jamesd@echeque.com>
Date: Sun, 18 Jun 2006 08:26:50 +1000
To: practicalsecurity@hbarel.com, public-usable-authentication@w3.org
Message-ID: <449481AA.2050904@echeque.com>

     --
Chris Drake wrote:
 > all authentication schemes are being actively avoided
 > by every responsible ISP, because when they activate
 > these schemes - they find they they are preventing
 > their own customers from being able to get emails
 > through to recipients.  If an ISPs customer wants to
 > sned an email form their own address when not using
 > the ISP's mail server - it's going to get rejected if
 > the ISP has SPF etc in place (unless the customer
 > knows how to use SRS).  As a responsible ISP -
 > ensuring your own customer emails reach their target
 > is a much higher priority than helping to stop random
 > strangers who are not your customers from receiving
 > spam that forged the ISPs domain.  Why would anyone in
 > their right mind do harm to their *customers* in order
 > to help **strangers**???   THAT's the reason none of
 > this stuff is widely deployed - it's got little to do
 > with filter tools.

Rejecting emails on the basis that they are not SPF
authenticated is foolish, for there are many innocent
reasons why an email might fail authentication.

I guess  many people have now seen this message six
times, so I had best stop repeating it.  But
nonetheless, now the seventh repetition:

	Authentication without reputation management is
	useless.  The purpose of authentication is to
	support reputation management. DK and SPF are
	attempting to walk around on one leg.

Repeating my previous two posts in slightly different
words:  What needs to be done, and is not being done, is
to attribute reputation to the originating domain on the
basis of the quality of the emails that *are* SPF and/or
DK authenticated, and then attribute quality to
authenticated emails on the basis of the reputation of
their originating domain.  If email fails authentication
that is a weak reason for rejection.  If an email passes
authentication, then we can apply an additional test:
the reputation of the originating domain.

SPF and DK is not being used correctly on the client
side.  This makes it useless, indeed dangerous, to
recipients, and useless to legitimate senders.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      fcRA2K9ZPwRchjhPLqwaBigOHca0bbrrtd1MotTT
      40IL8CIuRLubJR1esD5UmdzI26SCcBY7BT/Ss0pDL

Received on Saturday, 17 June 2006 22:26:55 UTC