"The art of progress is to preserve order amid change and to preserve change amid order." -- Alfred North Whitehead
Adoption is voluntary. Industry awareness drives new
installations. AOL is also currently requesting all of
their whitelist partners to switch
to SPF to remain on their whitelist. The graph below
shows SPF publishing domains over time.
Initially, domain owners can set ?all, which
means "default unknown". They start educating their users
to switch to SASL AUTH, and maybe set a local sunrise date.
When the vast majority of users are doing the right thing
(sending mail out only through the domain's designated
mailers) they change the default to -all, which
means "default deny". That tells SPF-aware receiving
servers that it's safe to reject SPF violations rather than
classify them as spam.
A number of objections have been raised so far. Yes,
some of them will cause pain, but on the whole, I see a net
benefit. I have discussed SPF with members of the technical
community whose opinion I respect. None of them have
identified any major flaws. Most of them believe an
implementation is called for.
Voluntary Adoption. Some domains will gradually
start publishing SPF information; Hotmail, AOL, and other
large ISPs would be delighted to stop getting bogus abuse
reports sent by spam victims who don't know how to read
RFC2822 headers.
Refusal to Adopt. Some domains will not publish
SPF. Spammers will forge mail to appear from those domains.
This is already happening, of course: spammers forge mail to
appear from @aol.com and @hotmail.com all the time. Most
respectable companies subscribe to a philosophy called
"preventing trademark dilution". It would be unusual for a
domain to not publish SPF because that means they do not
care if spammers forge addresses with their domains. If SPF
becomes so widely adopted that people decide that "non-SPF"
is a strong correlate with "spammer", people will configure
their preferences to reject mail from those domains, putting
pressure on them to start publishing SPF lists.
Guerilla Adoption. Benevolent third-parties may
start publishing SPF lists for laggard domains who don't
publish those lists themselves. Eventually domains will get
tired of these lists being out-of-date. Or commercial services
will evolve, to cater to domain owners who are too frazzled
to set up SPF records.
Vanity domains. What
does this mean for the holders of vanity domains? If they
are unwilling or unable to construct the necessary DNS
entries, vanity domains can simply choose not to participate
in SPF. Email will still work as before.
MTA support. We can encourage adoption by
implementing SPF query support in the four major opensource
MTAs.
DNS support. All existing DNS servers already
support the TXT type. No modifications are necessary.
|
