Hello! Wild idea time: I won't be surprised if this is shot down...
Proposal: "Personal SPF" - A DNS-based lookup system to allow individual sender's of e-mail to publish a *personal* SPF record within the context of their domain's SPF records, that would identify an IP or range of IP's which they would be 'stating' are the only possible sources of their mail.
Why 'personal'? Because I run an ISP where user's *may* send their mail via any number of DSL connections, so I can't publish 'positive' SPF records for our whole domain. But if I could have member's opt-in to a 'personal' registry, and have spamassassin check for '1.1.1.1.address.personalspf.domain.tld' and treat it like an SPF lookup, then a lot of people who currently do not enjoy SPF protection could 'sign up' and help clear the iway of junk. :)
A sender could 'opt-in' with a range of addresses, or, if the sender does not choose one, they get a 'neutral' result. Totally non-existent addresses would get a special response to distinguish the result from simple 'host not found' responses, and thus this Personal SPF could also serve as a more efficient mechanism for sender existence verification.
Such a mechanism would enjoy the benefits of DNS caching, and avoid the problematic aspects of sender 'callback' SMTP verification, which, the more I read, the less I like. :(
Obviously there would be 'details' to work out, but fundamentally, the question is, would the same mechanism that handles SPF be able to handle the additional 'load' of personal SPF? Or would this be a bigger burden than SMTP callbacks?
- Charles
