MJ Ray wrote:
What I don't understand is why haven't you set this up using TXT records in your DNS and told us how to try it?
It seems too simple...
Seriously, though, I looked at stuff like SPF and know its flaws. I just want a way that I (or anyone else) can send email, through normal SMTP, such that the recipient, should they choose, can verify that I sent it, regardless of whether they know who I am or have any previous relationship with me. Just that if it says it comes from example.com, then it did come from example.com.
Of-course if I didn't add the necessary signature in the header, or the necessary record in my DNS, then I would expect the recipient to treat it the way the do now. Normal email wouldn't be broken. (I'd suggest that the DNS should include flags to say whether all email from a domain must be expected to be signed or not, so that "reject if not signed" is an option.)
To be honest I assume there's either a similar scheme in operation I don't know about, or someone has thought about it and ruled it out.
I think it may fail because of bandwidth and CPU costs (CPU on my mailservers is already pretty occupied by filtering out the obvious spam, even with very little reaching amavisd or spamd) but I'd be interested to know how it fares. It seems no worse than other shared whitelist schemes and makes sending more expensive for spammers too.
There is a cost to the sender (miniscule except with bulk email). The cost to the recipient, if they choose to use it (and they can safely ignore it if they wish) is I think going to be less than the overhead of most existing spam checking.
Note that this does not try to be an anti-spam measure any more than SPF does. It would not stop the owner of i-send-spam.com sending mail from their domain, but it would stop them spoofing my address when they send it. Indeed it would be worth their while checking any domain they intend to use for spoofing to see if it has a published key, because spoofing a "reject-if-not-signed" domain would flag the sender up as spam. Hopefully this would mean my domain would get used much less for spoofing, and that would be an incentive for other people to sign their domains too. World domination would only be a step away!