2007-12-06
Why large ISPs like SPF (the cynical view)
One of the peculiarities of SPF and related schemes is that many large ISPs are quite enthusiastic about it, especially free webmail places like Hotmail, Yahoo, and Google Mail. However, this enthusiasm rarely extends to blocking incoming email that fails SPF checks, although they are happy to encourage you to use SPF on your own mail.
The cynical view of this is that ISPs love the idea of SPF because it gives them more control over their customers. With SPF, their customers are not only tied to the ISP for reading their email, they are tied to the ISP for sending email too. This suggests why the free webmail providers are so enthusiastic; all of them show ads on their websites, so the more they can force users to use those websites the more they profit.
This also may explain why people are enthusiastic about SPF variants
like DomainKeys that
validate the message headers, since it gives them even more control of
what users can do. (For most users, what matters is not their envelope
origin address but what From:
header says.)
Sidebar: the less cynical view of DomainKeys
The less cynical view of why Google and Yahoo are behind signing the
From:
header instead of the envelope origin address is that they are
smart enough to understand that in the real world, no one is using
either SPF or DomainKeys to reject email in the MTA. If you're aiming
at users instead of MTAs, the message headers are what really matters,
and so authenticating them is the important thing.
(And you actually have a shot at persuading MUA authors to include optional DomainKeys checking, or writing plugins to do it for popular MUAs.)