There is certainly more domains than mail servers. If the average
server were to handle just two domains, this still leaves considerable
room for disputes to arise. From the perspective of a reputation
service, it is impossible to know either the number of domains sharing
the server, or what identifiers were assured. Reputation can be very
destructive when attributing abuse to the wrong entity.
SPF does not offer authentication. Publishing this SPF authorization
record can be much worse than not publishing, when used beyond just
white-listing. With spammers and phishers already among the first to
offer SPF records, SPF authorization alone provides no protection. When
reputation is applied to authorization, disaster!

SPF/Sender-ID is server authorization. Because it is untrustworthy, (it
causes email to be lost or refused) SPF/Sender-ID has extremely little
value. It can not be applied in any strict manner reliably. The high
overhead associated with resolving the path registered by SPF, means
this mechanism can not offer network protection. Nor can SPF reliably
offer recipient protection either. Phishing and spamming is sure to
continue with SPF/Sender-ID.

I know there are some that dream of the day when "-all" does not cause
mail to be lost, and when everyone knows which identifier to check. SPF
demands additional diligence by providers, while also leaving the
providers unscathed when they are negligent. SPF may cause a behavior
change in some cases, but this change is almost certain to create even
greater damage for domain owners.

Something like DomainKeys, that will eventually be upgraded to DKIM,
does offer an alternative that is both safe and fair _authentication_.
This alternative to just _authorization_ uses less overhead than
SPF/Sender-ID. In the case of SPF versus DomainKeys, the bad is the
enemy of the good, safe, and fair. : )

-Doug

This draft still insists that by providing authorization for the server,
the mailbox-domain owner is "responsible for having sent the message."
How can you arrive at this conclusion without considering
"authorization" equivalent to "authentication?" How do you know the use
of the mailbox-domain is "legitimate?" You are assuming exclusive use
of the mailbox-domain is assured by the email provider.

This introductory paragraph must include a dire warning there will be
those that consider "authorization" equivalent to "authentication." To
protect the reputation of your domain, establish service level
agreements with your provider that indemnifies you, as the domain owner,
from the provider allowing non-exclusive use of your mailbox-domain,
whether for the bounce-address or the purported responsible address.

Those, in control of millions of zombies, will have at their disposal a
matrix of all possible mailbox-domains that authorize the outbound
server, detected by issuing a single message. Those servers shared by
many domains will be an exploit bonanza. This false assumption, which
goes well beyond what may be safely deduced from server authorization,
place a majority of mailbox-domain owner's reputation in peril.
The results remain unchanged. "Considered responsible for sending the
message" represents an irresponsible conclusion. What assumptions
permit this conclusion? Is it the domain owner that should know better
than to trust their email provider? Or is it the recipient that should
know better than trust the mailbox-domain to be legitimate? The
statements in the introduction and what is implied by a Pass condition
will result in considerable harm.
This is not entirely true. This draft can still recommend deprecating
the use of version 1 records, and document how version 2 records ARE
being used.
The inordinate number of DNS lookups mandated by SPF to resolve a
sizeable address list, when just a single host is being sought, pose
serious indefensible risk. Motivation to change this practice will
likely become a matter of necessity at some point.
2.1. The HELO Identity
...
,----
| Note that requirements for the domain presented in the EHLO or HELO
| command are not always clear to the sending party, and SPF clients
| must be prepared for the "HELO" identity to be malformed or an IP
| address literal. At the time of this writing, many legitimate e-mails
| are delivered with invalid HELO domains.
`----
Wouldn't BATV provide superior blow-back (DSN notifications sent to a
spoofed bounce-address) protection? Unlike SPF, BATV achieves results
when implemented unilaterally. Just removing original message content
in the DSN would also deprecate spoofing the bounce-address as a
delivery ploy for spam or viruses.
When you say MARID, do you mean Sender-ID? It is unrealistic to expect
Sender-ID will change. There are real and inexcusable dangers created
by how the scope-less version 1 SPF record is interpreted. To insist
that documented methods in the use of SPF records must exclude the
scoped version of the record is nonsensical. This abstinence from scope
enables a Sender-ID reputation trap.
The time lines of these decisions should not preclude becoming aware of
a problem created by a competing draft. Once aware of the results of
this capricious dismissal of a previously considered essential element,
act to reintroduce scope.

You should understand that publishing SPF records are not free from
risk, even without errors. Much of the risk occurs as a result of those
that mistake authorization for authentication. The domain supported by
server authorization can not safely be assumed to have originated the
message. While it could be possible to refuse messages that are not
authorized by an SPF record demanding strict compliance, this is really
not practical either.

The real use for SPF is to offer greater protection for bulk email
distributors by way of white-listing implemented by major providers. I
would even recommend that there be a scope devised, such as admin, to
specially limit the SPF record to this use. This would mean there are
NO assurances being made for any mailbox-domain anywhere within the
message. The domain owner simply wants to be trusted to do the right
thing and does not want to risk any contained mailbox-domain becoming a
victim of authorization-reputation.
This version of the SPF record is also seen as applicable for the PRA.
For a brief period of time it was. The draft that includes this scope
for this early record also shares a common author. You are really in a
weak position to insist they are wrong and you are right. You will not
win this argument and harm those that believe otherwise.
Once insidious applications creep in that base reputations upon PRA
authorizations, while using the Machiavellian user feedback, this will
become a very real problem. I can imagine it now. "We supply the
tools. These tools don't give mailbox-domains a bad reputation, people
give mailbox-domains a bad reputation."

-Doug