James Craig Burley wrote:
Hmmm, well I suppose the root nameservers are centralized. These are the master phone books that tell clients where to go to lookup the number, etc. However, the DNS record for each domain itself is manageable by anyone who has a domain. There are large records spread out over multiple networks via delegation, and small records that are handled by a primary and secondary host. If one chooses to allow their ISP or some other service to manage their DNS record, that is an option.Isn't SPF dependent on DNS? If so, it's not really decentralized, is it?
Before I got my hands dirty with DNS it seemed large and complicated and difficult. But it really isn't all that complicated. Especially for just a single domain that might have a few records. Absolutely there are larger more complicated setups, especially when you have several networks under one domain, and perhaps even dislocated subnets on non-octet boundaries, and you want to delegate forward and reverse authority to various departments, customers, etc.
For SPF: As long as you identify potential mx hosts and publish this information in the TXT record then life will be swell. If you have a web site on a domain that is not used for email, then you can specify that NO hosts are allowed to send email "from" that domain.
Having mail that relies on DNS isn't worrysome. The thing has to figure out where to route it anyhow - it is already dependent on DNS. There are already multiple queries performed per processed email. If speed is an issue then it is usually wise to run a cacheing server on the mail host. IMHO. One potential bottleneck using DNS has to do with the fact that DNS uses UDP. If you stuff a lot of TXT info in your record this can cause an issue. But that issue is as old as the hills, perhaps may never change.
It is true that SPF use isn't widespread. But ISPs with large consumer bases such as AOL and Earthlink have set it up. And thousands of other domains have it. Soon they will actually use it to determine if mail will pass through. They _may_ be using it now to (partially?) assign a spam score, that is not documented anywhere that I currently know about.
To date, I have not seen a more elegant solution to curb domain "hijacking." - a form of identity theft IMHO. It really doesn't reduce SPAM, but it does reduce SPAM from bogus addresses sent from unauthorized hosts.
I am not sure how false-positives would be an issue, but I am not discounting the potential. When a message comes in, the source ip and the from address are known. Or perhaps there is no from address at all (ie bounce), and the helo domain (would/could) be used. SPF either doesn't exist, it exists and the host is valid, or it exists and the host is invalid. There are a few other possibilities for status. It is up to the receiving mail server to decide whether or not to process the mail - or perhaps handle it differently - based on this information.
So, from my point of view, this is a system that gives domain owners a choice to publish and what to publish, and people with mail servers a choice whether or not (and how to) use the information.
Best regards
Waitman
