Re: Why SPF and DK are not being used from Jeffrey Altman on 2006-06-18 (public-usable-authentication@w3.org from June 2006)

From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun, 18 Jun 2006 12:20:35 -0400
To: "James A. Donald" <jamesd@echeque.com>
CC: practicalsecurity@hbarel.com, public-usable-authentication@w3.org
Message-ID: <44957D53.7050209@secure-endpoints.com>

My e-mail server software supports both SPF and DK.
I attempted to utilize both but discovered that SPF
and DK miserably failed with mail relayed by mailing
lists.   Given that I am subscribed to hundreds of
lists and I desire to receive mail that is sent via
the list servers and that I wish mail I send to be
received by readers of the lists, I turned both SPF
and DK off.

The solutions are flawed because they do not permit
the continued use of common e-mail usage patterns.
I suspect more organizations would deploy a solution
that worked.

Jeffrey Altman


James A. Donald wrote:
> 
>     --
> Why SPF and DK are not being used:
> 
> Obviously, domains have no incentive to use SPF and/or
> DK unless email recipients filter on SPF and DK
> 
> But users do not.
> 
> Largely because they cannot.  There are no filter tools
> that make good use of SPF and DK information.  There are
> filter tools, but they are research demonstrations,
> rather than actually useful in reducing the spam in my
> inbox.
> 
> What the filter should do, is as part of Bayesian
> filtering, observe that some messages get marked as
> spam, and others as ham, and conclude that if some mail
> that provably arrives from certain domains is ham, all
> mail that provably arrives from those domains is
> probably ham, generating a list of known good domains
> which it then uses to guess which emails are ham.   It
> should also observe what domains usually provide
> evidence that email came from the domain it appeared to
> come from, and conclude that email without such
> evidence, purportedly coming from a domain that usually
> provides such evidence, is probably forged, therefore
> probably spam.  SPF and DK information needs to be
> integrated with all other available information for
> filtering mail.
> 
> The widespread deployment of such filters would give
> mail server administrators reason to support SPF and DK.
> They would DK their outgoing mail in order to get their
> domain on the known good list. At present they have no
> such incentive, and so are not supporting SPF or DK.
> 
>     --digsig
>          James A. Donald
>      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
>      CAbCqOSgym8Up02XNnb1alzFW4VBYsBpa/7xjkfS
>      4pjb+C/KVowMqXdI49IgPIpZ4kB3ulWsslp3qz+jm
>

Received on Sunday, 18 June 2006 16:20:05 UTC