On Jun 03, Sam Hartman <hartmans@debian.org> wrote: > But more than that, you don't need the SPF record. (Here comes a short lesson on email authentication...) The most useful way to think about SPF and DKIM is that they allow to move reputation considerations for a message from the sender IP address to the sender domain (DKIM) or envelope sender domain (SPF). This way receivers can safely assign a positive or negative reputation to mail from specific domains instead of using the same reputation for all mail emitted by a specific IP. This is what happens when SPF and/or DKIM are aligned, i.e. they successfully validate the (envelope) sender of the message. This is why it is not very useful to have SPF records with ~all (which may mean "deliver to the spam folder") or -all (which may mean "reject"): the purpose of email authentication is managing positive reputation. Since we are not a financial institution we do not have major troubles with forged @debian.org emails, so there is no need for ~all or -all SPF records: we can use ?all which basically means "revert to IP-based reputation if SPF is not aligned". Also: SPF with hard failure (-all) breaks forwarding unless SRS is used, and most of the existing tools which implement SRS suck, so this is not a given. > Debian could pay to get on one of the white lists, we could use some services > like Amazon SES, we could possibly get a good enough dkim reputation > that we don't need to do any of the above. There are no useful whitelists (which would require domain-based reputation anyway) to solve this problem and a third party mail relay would not improve deliverability without domain-based reputation attached to debian.org. On Jun 03, Ian Jackson <ijackson@chiark.greenend.org.uk> wrote: > 2. We have not published mail restriction DNS RRs. Some people seem > to think that this is a bad thing. No. Many large receivers want to use domain-based reputation, and since in the email world receivers are always right it is a bad thing (for us, who are the ones having deliverability problems) that we are not providing a way to do so. As I explained, we can usefully deploy SPF and DKIM without adding any new restriction for unaligned messages. > 3. Some big services have other shitty heuristics which misclassify > mail from @debian.org users. Probably because they have no way of attaching a reputation to the debian.org domain, given the lack of SPF and DKIM. > Debian is in a better position than most to resist the hegemony of an > oligopoly of unaccountable email providers. We should use our > political power, such as it is. This would be nice if we had any political power which could be used, but it is quite obvious that the debate about email authentication was settled long ago in favour of domain-based reputation. (And Google whitelisting some of our own servers is exactly the wrong thing to aim for since it does not solve the problem in a general way.) -- ciao, Marco
Attachment:
signature.asc
Description: PGP signature