| One could argue that domains that don't publish SPF records don't
| care about sender address forgery, and therefore don't care about
| backscatter. So, perhaps it's OK to send DSNs into domains without SPF
| records. And perhaps it's OK when the result is NEUTRAL (no policy).
This assumption is extremely false, especially as SPF is an extremely
flawed and in fact unusable protocol in real world situations.
(I will skip the rant, but any time your protocol requires inventing
an entire second protocol that must be adhered to by *everyone* you
have a very big warning sign.)
We publish SPF records for our subdomain. We do not do it because we
think it's a good idea, we do it because certain large 800-lb gorillas
of the email world are more likely to accept email from our systems if
we have SPF records. These records have a general neutral '?all' result
(and this is never, ever going to change). We would be extremely angry
if some remote system took this as free license to send us DSNs for a
spam run instead of rejecting at SMTP time.
| So, (a) there will be a few MTAs with PRDR, with a substantial market
| share between them, (b) a substantial proportion of email is to single
| recipients (including personalised marketing, for example), and (c) a
| substantial proportion of senders are authenticated by SPF. [...]
I'm genuinely curious: do you have any stats on how many senders and
how much email passes strong SPF authentication?
(By strong SPF authentication I mean where the origin domain publishes
SPF that actually has restrictions and the email passes some positive
SPF assertions. Passing a '?all' assertion is IMHO not a meaningfully
SPF authenticated email.)
- cks
