Tony, >> first, there is an increasingly heated debate between folks who want >> to sign the message (TEOS, DomainKeys), versus others who want to >> secure the channel between sender and receiver (RMX, LMAP, SPF, >> etc.). TH> Is there an obvious reason not to do both? Cost of effort. Distraction of scarce resources. Public damage from unmet expectations. Etc., etc. TH> It is time to stop fighting TH> over which is better and put both approaches out there. Recently, I have become fond of the phrase "ready, fire, aim", because so many people support your suggestion. As you may have noticed, I consider timely response to urgent need a very good thing, indeed. But there is a difference between wasting time working on an ideal solution, to the detriment of an adequate one, versus ignoring basic questions of efficacy and cost. >> Once that debate is resolved, there is still the matter of compromised >> system. The message might actually come from the purported author's >> system, but still not be from the author because it has been taken over >> by evil forces. So, even with perfect automated validation, the content >> still might not be valid. TH> Compromised systems are a problem, but the scope of the bogus mail TH> originators is limited to the users of the compromised system. Yup. That's why accountability is inherently good. At least the ability to track down the source is accurate, even if the "identity" of the source might be at issue. d/ -- Dave Crocker <dcrocker-at-brandenburg-dot-com> Brandenburg InternetWorking <www.brandenburg.com> Sunnyvale, CA USA <tel:+1.408.246.8253>