What is happening with this? Implementation seems sparse and imperfect
which seems also to be true for DK, SSP, and SPF. Are any of these worth
fussing with?

dp

In article <46c73143$0$3576$815e3792@news.qwest.net>,
dp <dp@urflink.net> wrote:

> What is happening with this? Implementation seems sparse and imperfect
> which seems also to be true for DK, SSP, and SPF. Are any of these worth
> fussing with?

SPF is starting to be important if you care about delivering to
MSN/Hotmail users. If you prefer telling them to get a real mail
provider, publishing a SPF record is pointless and counter-productive.

SPF is also a useful tool in some cases for whitelisting some varieties
of mail that people actually really want but which look very spammy to
tools like SpamAssassin and Bayesian filters that have been shown a lot
of phish mail. For example, both Citi and Vanguard do mailings to their
customers under various domains that they have SPF records for and
complex sourcing. Rather than try to code up your own rules to make
sure people can get their heavily web-bugged and spammy-looking mail
about their finances from a real financial services provider, it is
simpler and more reliable to just trust that if the SPF record says a
particular client host is a legit sender for a legit domain, let it
pass.

SPF as a spam reduction tool (as opposed to a whitelisting tool) is
pretty much useless, but no one who understood the technology ever
really expected it to be useful there.

DK has pretty much been held back by everyone waiting for DKIM, which is
now arguably solid enough to start using but like SPF it is really only
a whitelisting tool, not a spam reduction tool. The sites that are
currently signing with DKIM are places like Google and Yahoo that emit
significant quantities of spam from their real users, so it is of little
use on a whole-domain basis in identifying non-spam mail, but it can be
used to pick the non-spam out of the sewage coming from them on a
user-by-user basis if you run a small enough site to do that sort of
thing. AFAIK, no one is doing anything that makes DKIM signing
worthwhile for most sites. As with SPF, the majority of mail
authenticated by DKIM checking is in fact spam.

The SSP extension to DKIM is still unfinished. There may be people
publishing records, but I wouldn't look at trying to make use of that
for another year at least.

--
Now where did I hide that website...

In article <46c73143$0$3576$815e3792@news.qwest.net>,
dp <dp@urflink.net> wrote:

> What is happening with this? Implementation seems sparse and imperfect
> which seems also to be true for DK, SSP, and SPF. Are any of these worth
> fussing with?

SPF is starting to be important if you care about delivering to
MSN/Hotmail users. If you prefer telling them to get a real mail
provider, publishing a SPF record is pointless and counter-productive.

SPF is also a useful tool in some cases for whitelisting some varieties
of mail that people actually really want but which look very spammy to
tools like SpamAssassin and Bayesian filters that have been shown a lot
of phish mail. For example, both Citi and Vanguard do mailings to their
customers under various domains that they have SPF records for and
complex sourcing. Rather than try to code up your own rules to make
sure people can get their heavily web-bugged and spammy-looking mail
about their finances from a real financial services provider, it is
simpler and more reliable to just trust that if the SPF record says a
particular client host is a legit sender for a legit domain, let it
pass.

SPF as a spam reduction tool (as opposed to a whitelisting tool) is
pretty much useless, but no one who understood the technology ever
really expected it to be useful there.

DK has pretty much been held back by everyone waiting for DKIM, which is
now arguably solid enough to start using but like SPF it is really only
a whitelisting tool, not a spam reduction tool. The sites that are
currently signing with DKIM are places like Google and Yahoo that emit
significant quantities of spam from their real users, so it is of little
use on a whole-domain basis in identifying non-spam mail, but it can be
used to pick the non-spam out of the sewage coming from them on a
user-by-user basis if you run a small enough site to do that sort of
thing. AFAIK, no one is doing anything that makes DKIM signing
worthwhile for most sites. As with SPF, the majority of mail
authenticated by DKIM checking is in fact spam.

The SSP extension to DKIM is still unfinished. There may be people
publishing records, but I wouldn't look at trying to make use of that
for another year at least.

--
Now where did I hide that website...