>> the problem I have with DKIM filtering is that it is only effective >> for domains that can reasonably insist that all of the mail >> originated by users at that domain go through that domain's >> submission servers. this is a corner case, not the general case. > > Back in the day, we didn't have any of this VeePeeEn tomfoolery. I > could just telnet in and that was that. I'm sure that our IT folks > paid dearly in time, equipment, and support to throw up that wall, yet > they did it and as far as I can tell we all survived the move. I > don't see anything especially different with mail: if you want > accountability, you have to do real live work -- part of which is > placing restrictions on access. TANSTAAFL. what you are failing to see is just how much reliance on VPNs (and source IPs) to do authentication cripples the network. sure it's better than nothing, but it's also very inflexible and an architectural dead end. (and the problem with TANSTAAFL is that you can use it to justify any kind of brain damage you want, as long as there's some minor associated benefit) >> sure the spammers will learn to not use DKIM domains, but they'll >> just move to other domains, > This is a feature, not a bug: I don't have to outrun the bear, I just > need to outrun you. I'll remind you that as a condition to working in IETF we are all pledged to use our judgment as to what's best for the Internet as a whole...not just for those who can run faster than others. Keith _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf