Remember my spam rant from Monday? Well it looks like one of these ideas is not new, and is proposed as a draft for a future RFC. It is here.
Here is my feedback to the author…
I hope it gets adopted and accepted by people. We have a domain that was used for free email before (altavista.com) and even though we stopped the service, we still get hundreds of complaints of “Your user sent me this spam!” – all of them are forged. So I think it would be excellent to get MS records in place, even if acceptance is not widespread, all it takes is a couple large receivers to adopt it and spammers will learn to avoid domains with MS records.
I like the idea of using a crypto challenge, but I’m also afraid that it will take longer to adopt than just setting MS records with host names like MX records are today. MS records with hostnames can be adopted by the sender with no software change, whereas the crypto method requires new software for both the sender and receiver. I also think that adopting a crypto solution will be a more complicated change for software vendors, whereas a DNS lookup is a pretty trivial change.
One suggestion for this could be to have the MS record be either a hostname (or string of hostnames) OR a crypto public key. This would allow senders to get started right away even if a software update is not available for their mailserver.
Another suggestion I had was to give a sample format for the public key, and for the challenge and response, using an actual sample key like PGP or something similar. (Would SSL work for this? I’m not sure) I don’t think it’s important to identify a single crypto type as preferred, but giving a sample implementation and sample transaction would at least steer people in the right direction. (Supporting different types of crypto and getting various vendors to agree on which types to support might be a challenge, that brings its own “standards” discussion.)