Cloud customers, including those of ACCA members, are asking which governments have access to their data, and whose laws prevail, when it is hosted offshore. This lack of legal clarity is impeding the growth of what is inherently an international market.

To unthread some of these issues ACCA earlier this year partnered with a leading business consultancy and a law firm to survey 14 markets across the region.

We are developing a great dataset about regulations as they apply to cloud in each market. Our partners will also survey cloud customers to find what problems they have experienced and what their concerns are around data sovereignty.

The report, which is expected to conclude by the end of Q3, will rank each market for its suitability for global data cloud services.

Lawyer and ACCA member Stacy Baird, who is overseeing the project on behalf of ACCA, says ACCA members have expressed growing concern about the issue.

Increasingly, they are hearing questions from their customers: do foreign governments have access to data stored in another country? If my data is stored offshore, does the offshore government have access to the data?

Stacy says what is unusual is that this is a problem that has emerged in Asia and the west at the same time. Historically tech industry problems first arise in North America and Europe, and Asian countries have followed suit.

“In this case, governments around the globe are grappling with these issues,” he says. “I think that says a lot about the nature of IT and cloud, that it is truly global.”

While the ACCA study will lay out the problems, the solutions are not simple. Asia is a diverse region with almost every possible kind of political and legal structure.

But says many of the region’s governments see the economic significance of the cloud and are willing to take hold of the issue.

“They realise that they want to respond to the changing data management environment,” Stacy says. “They’re concerned about data and privacy, but there’s a recognition that there’s a major economic growth opportunity.

“It can be an opportunity for positive reform to laws around the world that will preserve sovereignty, protect privacy, but also enable the growth of cloud computing.”

By: Per Dahlberg, Executive Director and CEO, Asia Cloud Computing Association.
pdahlberg@asiacloud.org

Online Trust Alliance Honor Roll 2013 

Online Trust Alliance Announces Top-Ranked Websites for Security, Privacy and Consumer Protection

CHICAGO, IL  – June 5, 2013 – Internet Retailer Conference & Expo – The Online Trust Alliance (OTA), a nonprofit organization with a mission to enhance online trust by collaboratively establishing best practices for privacy and security, today released the 2013 Online Trust Honor Roll report, revealing the top scoring websites recognized for excellence in privacy, security and consumer protection.

OTA completed comprehensive audits, reviewing more than 750 domains and privacy policies, 10,000+ web pages and over 500 million emails associated with the Internet Retailer 500 (IR500), Federal Deposit Insurance Corporation (FDIC 100), and Top 50 Social and Federal Government sites. The composite analysis focused on three major areas: Domain, Brand & Consumer Protection; Site, Server & Infrastructure Security; and Data Protection & Privacy. Combined, over a dozen attributes were reviewed for the 2013 report.  Details are posted athttps://otalliance.org/2013honorroll.html.

Thirty-two percent of the companies audited made the Honor Roll. Twitter had the top overall composite score and American Greetings achieved the number one ranking of all internet retailers.    These companies have demonstrated a commitment to voluntary best practices, consumer protection and self-regulation. In addition to American Greetings, Amazon, Big Fish Games, Bike Bandit, Books-A-Million, iHerb, JackThreads, Levenger Co., LivingSocial, Netflix, Ralph Lauren and Rock Auto qualified for the top 10 eCommerce sites (two sites tied for two rankings are included in the top 10).

“Twitter is pleased to have earned the top score on the OTA Honor Roll.  By supporting Always-On-SSL, Do Not Track, DMARC, and most recently login verification, we aim to keep users connected securely to everything happening in the global town square,” said Bob Lord, director of information security, Twitter.

“Through an ongoing process we have evolved our data security and privacy practices from one of compliance to one of stewardship,” said Joseph Yanoska, vice president, technology, American Greetings. “We’re honored by the recognition the OTA has given us, and are committed to supporting their efforts. We share and embrace their approach to security and hope that it results in a higher level of trust from our customer base.”

Social gaming and dating sites (Social 50) outpaced both the IR500 and FDIC 100 2:1 in percent of companies qualifying for the Honor Roll. This disparity is attributed to the agility of sites within this segment, their recognition of the importance of data security and privacy and their infrastructure.  Many banks and commerce sites have more complex legacy sites and data centers which impede their ability to quickly adopt many of the best practices.

“The 2013 report demonstrates how business leaders have recognized the need to move from compliance to stewardship. This is critical to consumer trust and to help stem the call for more regulation. The Online Trust Honor Roll report provides prescriptive and actionable guidance for businesses to move from a state of inaction to one which will enhance consumer protection,” said Craig Spiezle, president and executive director of OTA.

Key Findings of the 2013 Online Trust Honor Roll: 

• 32% of companies qualified for the 2013 Online Trust Honor Roll, with the overall top score being awarded to Twitter.
• Though 26% of the Internet Retailer 500 made the Honor Roll, a slight improvement over 2012, 53% are still failing to achieve passing scores in one or more categories, unnecessarily exposing users to security, privacy and social engineering threats.
• FDIC member banks demonstrated significant improvements over last year with 25% making the Honor Roll.  Of those that did not qualify, 71% received failing grades in one or more categories, largely attributed to inadequate email and domain protection or outdated privacy policies with inconsistencies observed between their written policy and actual data collection observed.
• The banking sector led in the adoption of Extended Validation SSL (EV SSL) certificates, at 60%, while overall worldwide growth of EV SSL certificates grew 28% over 2012.
• Top U.S. Government (Federal 50) sites made improvements across all sectors, achieving 88% support of DNSSEC, yet significantly lagged in helping protect consumers from forged and deceptive email and securing their sites from known vulnerabilities.  Only 20% adopted both SPF and DKIM and one third received failing grades for their SSL server security.
• Adoption of email authentication to counter forged and malicious email experienced double-digit growth across three of the four segments with IR100 adoption of both SPF and DKIM jumping 20% to 76%.
• Privacy scores climbed in all categories representing the importance of transparency and controls on sharing with third parties. OTA member companies led all segments with an average of 83.7% increasing 5 points over 2012.

“Being named to the 2013 Online Trust Honor Roll is a significant achievement. The adoption of best practices not only helps to protect customers, it also builds brand integrity, enhances click through and reduces the risk of shopping cart abandonment,” said Spiezle.

Webinar Briefing: OTA will host an online briefing on Wednesday, June 12 at 10 a.m. – 11:30 a.m. PDT.

To attend, register at:  https://www1.gotomeeting.com/register/557281512

About The Online Trust Alliance (OTA) 
The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust, while promoting innovation and the vitality of the internet. Our goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users’ security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship.

Today the Online Trust Alliance (OTA) – of which TrustSphere is a member – issued its fourth annual Online Trust Honor Roll report, which recognizes leading online companies’ efforts to enhance the security and privacy of user’s data and their adoption of leading self-regulatory practices, polices and technologies.

This outstanding report is a ‘must read’ for anyone who plays any role in any area of online security.  It provides exceptional insights that are backed up by solid data and represents a holistic view of widely accepted best practices to help secure consumer data, enhance user privacy and protect brands online.

For more information visit https://otalliance.org/news/releases/2013honorroll.html.

Ernst & Young and the FBI have teamed up to identify the top 3,000 words and phrases that employees acting as rogue traders or fraudsters use in emails. Targeting suspected employees and using filtering email systems to note the presence of these key words and phrases can save companies millions of dollars before the money is lost due to fraud.

Terms such as “Nobody will find out,” “They owe it to me,” “cover up” and “write off” are commonly used phrases when fraud is taking place, where as “special fees” and “friendly payments” are common in bribery cases. When corporate fraudsters are afraid of getting caught phrases such as “no inspection” and “do not volunteer information” are used.

With this new insight into monitoring employee behavior companies can now safeguard fund from the inside out. Ultimately the best way to prevent fraud is be aware, use up-to-date software and monitor what’s coming in and what’s transpiring within the company. Check out the top ten fraud words and phrases used in email conversations and protect your company now:

1.   Cover up
2.   Write off
3.   Illegal
4.   Failed investment
5.   Nobody will find out
6.   Grey area
7.   They owe it to me
8.   Do not volunteer information
9.   Not ethical
10. Off the books

By: Per Dahlberg, pdahlberg@asiacloud.org

If there’s one prediction we can make for 2013 it is that cloud computing will become even more critical to Asian businesses and governments.

The cloud is the number one priority for almost 40% of Asian business and governments polled recently by Frost & Sullivan. The research firm also predicts the regional cloud market will be worth $12.1 billion by 2016.

Given the potential to reduce business costs, improve productivity and enable innovation, cloud computing is increasingly being recognised as both a driver and differentiator of competitiveness. Many policy-makers and business leaders are already heavily engaged with cloud development – and we at ACCA believe that those that aren’t need to be.

That is where our Cloud Readiness Index 2012, released in November, comes in: providing both insights into the factors holding back cloud adoption, and to the strategies being adopted by leading cloud economies.

n this blog we will share reflections on developments in different countries throughout the year, and how these may affect, or are affecting, cloud adoption and cloud ‘readiness’ across Asian economies.

Broadband as enabler
One of the biggest obstacles in the region currently is broadband quality. While countries such as Korea and Japan regularly come in at the top of global broadband rankings, a number of emerging economies are still struggling to improve speed and coverage.

In the Index, four countries – India, Philippines, Indonesia and Vietnam – scored below three points out of ten for their broadband quality. Malaysia and China scored below four. Most of these countries are pushing ahead with broadband deployment programmes of various kinds, but without extraordinary investment programmes or innovative approaches to the issue, it will continue to be a bottleneck in 2013 and for some time to come. Ironically, of course, these markets represent some of the fastest growing mobile economies – both in adoption and usage – in the world. Looking to enable cloud benefits via mobile populations is just one approach many of our members are currently working on.

Data as Currency
Another issue vital to our members, and the cloud ecosystem at large, is data sovereignty – the question of who owns cloud-stored data, and under whose jurisdiction it falls. The cloud business is inherently cross-border, and businesses will hesitate to store their data in countries that lack solid and predictable legal framework.

Many governments in the region understand the concerns around this issue and are moving to address them. But in some markets, such as Thailand and Indonesia, the level of legal protection remains especially uncertain or unclear. Again, learning from developments in other economies, and the benefits that this brings, we believe to be a sensible first step to providing clarification.

Facilitating Constructive Engagement
As a collaborative forum of cloud thought leaders, the ACCA works to address cloud adoption challenges throughout the region. Engagement and dialogue is a very important aspect of our work, and we remain keen, as a group, to engage with authorities around the region on these and other issues.

TrustSphere and QUANTM Partner to Distribute Revolutionary Messaging Intelligence Platform in India and South Asia

Premier Indian IT Consultancy Expands its Offerings With TrustVault, the Industry’s First Messaging Intelligence Platform for Sales Intelligence, Messaging and Security Applications

NEW DELHI – April 11, 2013 – TrustSphere (www.trustsphere.com), a pioneer of next-generation solutions utilizing ”Messaging Intelligence” to provide valuable data for Sales Intelligence applications and for ensuring the security of corporate messaging systems, announced its partnership today with QUANTM (www.quantm.com), India’s leading provider of IT Infrastructure solutions and services. Per the terms of the agreement, QUANTM will be the exclusive distributor of TrustSphere’s TrustVault Messaging Intelligence platform throughout India and South Asia, providing customers with first line service and support services.

“With an exceptional reputation for innovative problem solving, its ability to provide highly professional support to its customers across India and South Asia, and as a leading and highly regarded System Integrator, QUANTM is clearly the ideal partner to expand the availability of our TrustVault solution throughout this important region,” said Manish Goel, CEO of TrustSphere. “The combination of TrustVault’s advanced capabilities, coupled with QUANTM’s service and support for IT infrastructures, will provide customers with both new insight for their sales intelligence applications and new capabilities for ensuring the reliability and security of their messaging systems.”

“Over the last few years we have invested in catering to the ever changing needs of our customers by offering Strategic Outsourcing, Cloud Services, Security and Applications in addition to being a recognized SI. Partnering with TrustSphere is a significant milestone in strengthening our portfolio. We truly believe that our strength and more than a decade of experience in messaging and security coupled with Messaging Intelligence from TrustSphere will create a compelling value proposition to our clients,” said Pawan Khurana, CEO of QUANTM Ltd.

The unique TrustVault Messaging Intelligence platform has been proven in deployments with leading organizations worldwide. TrustVault provides an unprecedented level of analytics covering the activity between an organization and its customers, suppliers and partners. This intelligence is used by clients to improve sales performance, security infrastructure and corporate governance.

About QUANTM
QUANTM Ltd (www.quantm.com) a 22-year-old leading system integrator in IT domain with its presence across India with offices in all metros and its global presence in UAE and USA. In addition to its strong SI practice QUANTM today offers Strategic Outsourcing, Managed Services, Business Continuity Solutions, etc. It also focuses on Enterprise Cloud solutions through its brand RAINQLOUD (www.rainqloud.com) and Business Applications through its group company TEAMWORQ (www.teamworq.co) that it acquired in 2011. It was adjudged “Best Managed Services Partner in Asia Pacific for 2012” by Canalys Channel Forum, “Hall of Fame” by Channel World (2012), “Best cloud player” by Channel World (2012), DQ Channels (2010, 2011, 2012) for QUANTM and IBM BEACON AWARD for “Most Innovative Application Suite for Asia Pacific” for its messaging and collaboration solution for TEAMWORQ in 2009 among many other accolades that it’s been winning for years.

About TrustSphere
TrustSphere is a pioneer in “Messaging Intelligence,” a next-generation approach to providing valuable and actionable data for sales intelligence and governance applications and for ensuring the security of corporate messaging systems. The company was recognized as a ”Cool Vendor” for 2011 by Gartner and its award-winning solutions have proven their industry-leading capabilities in major deployments with large corporations and major government organizations. TrustSphere is an IBM Business Partner and the company’s solutions are available through a growing number of business and technology partners across the globe. The company has offices in Singapore, New York, Sydney and London.

For more information on TrustSphere and its solutions visit the company’s website atwww.trustsphere.com.

# # #

TrustSphere Media Contact

John Giddings
Mobility Public Relations
+1-650-245-2782
Email: trustsphere@mobilitypr.com
Press kit: www.Trustsphere.com

QUANTM Media Contact

Ritu Khanna
QUANTM
+91-9582228336
mngr.corpcomm@quantm.com
Twitter: @QUANTM-World
Press kit: www.quantm.com

While even laymen recognize that the typical denial-of-service attacks can overload servers hosting a company’s website, what they – and the media meant to inform them – failed to recognize is that these Internet-based attacks can also bring down a company’s email services. When these servers become bogged down due to a traffic overload, a company is unable to communicate with customers, partners or even amongst its own employees. With email as by far the most dominant form of communication used in the business world today, even a short-term lapse in communication can significantly impact business operations and result in painful losses.

We at TrustSphere recognize the need for uninterrupted email and our TrustVault Messaging Intelligence platform has been created to combat these issues. TrustVault, with its Trusted Sender Recognition capability, allows gateway appliances such as firewalls and edge routers, to filter and prioritize legitimate connections, keeping trusted communications running even in the wake of a DDoS attack.

TrustSphere and Agosto Partner to Address Messaging and Sales Analytics Needs of Organizations Using Google Apps

Top Google Apps Consultancy Expands Its Offerings with TrustSphere’s TrustVault

MINNEAPOLIS – March 12, 2013 – TrustSphere (www.trustsphere.com), a pioneer of next-generation solutions utilizing ‘Messaging Intelligence’ to ensure the security of corporate messaging systems and for Sales Intelligence applications, today announced its partnership with Agosto, (www.agosto.com) one of the world’s oldest and fastest-growing Google Apps and cloud services consulting firms.  Agosto will offer TrustSphere’s TrustVault Messaging Intelligence platform to its clients throughout the U.S., and will additionally provide comprehensive deployment, configuration and maintenance services.

“Agosto, with its exceptional Google Apps experience, is an ideal partner for TrustSphere and enables us to further expand our U.S. sales presence,” said Manish Goel, CEO of TrustSphere. “The combination of TrustVault’s advanced capabilities, coupled with Agosto’s Google Apps know-how, systems integration, service and support expertise, will enable even the largest organizations to comprehensively address their most challenging email messaging based threats.”

“Adding TrustSphere’s Messaging Intelligence platform is a natural progression in our solutions-based offerings for clients,” said Aric Bandy, Agosto CEO. “The ability to analyze and better predict the context of traffic flowing in and out of an organization without breaching privacy will provide clients insight on security and productivity.”

Proven in deployments with businesses and government agencies the world over, the unique TrustVault solution protects against many of the most common and challenging email-based threats.  In particular, it prevents legitimate – often business-critical and time-sensitive – emails from being incorrectly quarantined as spam (‘false positives’), ensuring business operations are not affected.  TrustVault accomplishes this by creating ‘social graphs’ that chart the email-based relationships between an organization’s employees and the people they regularly email to identify trusted senders.  Using this unprecedented level of messaging information, TrustVault works in tandem with spam filters and anti-virus solutions to ensure that legitimate messages are fast-tracked for delivery and that suspicious messages are closely scrutinized, which results in the highest levels of email security.

TrustVault also enables organizations to combat other such email-based threats as: spear phishing attacks, distributed denial of service (DDoS) attacks and socially-based DDoS attacks that specifically target specific ‘high value’ individuals, such as CEOs.  Additionally, the messaging intelligence capabilities of TrustVault can be applied to Sales Analytics applications.

About Agosto
Founded in 2001 in Minneapolis, and with offices in Minneapolis and Toronto, Agosto is one of the world’s oldest and fastest-growing Google Apps and cloud consulting firms. One of the earliest Google Apps partners, Agosto served on Google’s Customer Advisory Board in 2008 and joined its Enterprise Advisory Board in 2009, one of only eight partners to sit on the board. In 2012, Agosto received the Minnesota High Tech Association (MHTA) Tekne award in the technology and consulting category for small and growing businesses. Agosto was featured along with Microsoft, Oracle and Rackspace on Talkin’ Cloud’s 2012 Top 100 Cloud Services Providers List. Agosto’s clients include Corel, Dunn Bros Coffee, CATCO, Regis Corporation, The Second City, 2nd Wind Exercise, Famous Dave’s, Goodwill Easter Seals and Jaguar Land Rover. Follow us on Twitter at twitter.com/goAgosto.

About TrustSphere
TrustSphere is a pioneer in ‘Messaging Intelligence’ a next-generation approach to ensuring the security, integrity and reliability of the messaging systems that organizations rely upon. The company was recognized as a ‘Cool Vendor’ for 2011 by Gartner and its award-winning solutions have been successfully deployed by both large corporations and major government organizations, proving their industry-leading capabilities. TrustSphere’s solutions are available through a growing number of value-added resellers and systems integrators across the globe. The company has offices throughout the world, including Singapore, New York, Sydney, Tokyo and London.

For more information on TrustSphere and its solutions visit the company’s website at www.trustsphere.com

# # #

TrustSphere Media Contact

John Giddings
Mobility Public Relations
+1-650-245-2782
trustsphere@mobilitypr.com

Twitter: @TrustSphere
Press kit: www.Trustsphere.com

Agosto Media Contact

Caroline Life
Agosto
+1-612-605-3526
caroline.life@agosto.com 

Twitter: @goAgosto
Press kit: www.agosto.com

A defensive strategy for accepting email over IPv6

Roland Turner

There is a legitimate concern about the additional workload that this will create – both for receivers and legitimate senders – in causing duplicate delivery of some/most/all legitimate email. I’d suggest that for early adopters this will not be a great concern, particularly while the total volume of email-over-IPv6 is small.

• If many receivers adopt this approach when piloting accepting-over-IPv6, then the incentive to spammers to move to IPv6 will be greatly diminished in the first place, thus cutting much of the duplicate workload for receivers whom senders can see are taking this action. (This effect seems unlikely to be large enough to render the infeasibility of IPv6-address blocklists moot, but it would be a great side effect!)
• Early adopting senders are more likely to implement full-authentication anyway; however, insufficient whitelisting may make encountering large numbers of receivers who push traffic to IPv4 cause costs that senders aren’t willing to incur. I’d suggest that operational experience will tell us how this plays out and that senders and receivers will be in a better position to work out what to do about this when/if there’s enough traffic for it to be an actual problem.
• This problem is likely to be particularly acute for forwarders for whom far less mail is likely to pass authentication, despite being legitimate. As in other contexts, forwarded streams are likely to require special handling (e.g. by not delivering them via IPv6 except where DKIM passes, or treating delivery-via-IPv6 as a problem to solve later). It may also be the case the receivers can simply greenlist known-strict forwarders and apply content-based filtering as usual. (Note that such forwarders would not appear on useful blocklists.)

There is another concern about 4xx responses causing poorly-behaved MTAs to delay even before trying other listed MXs, much as there is for greylisting. RFC5321 5.1 only specifies “In any case, the SMTP client SHOULD try at least two addresses.” If it turns out that a substantial number of sending MTAs limit themselves to just two addresses, then implementing this defensive approach would require listing only a single IPv6-reachable MX. This is sufficient from fault-tolerance perspective (fallback to IPv4 being an intrinsic part of the design), but may run afoul of external mandates about MX configuration rules. Such rules could usually be adjusted as part of implementing this approach, but this may nonetheless end up being a show-stopper for the entire approach for some organisations. Only operational experience will tell for certain.

As for greylisting, there may be a problem with legitimate but poorly-behaved MTAs that never retry after a 4xx response. As these are rather small in number, the same approach that was used for greylisting is likely to be viable: the development of a database of known legitimate senders who don’t deal correctly with 4xx responses and simply greenlisting them. Mail from these sources should be still be checked by content filters of course.

There may arise a concern that the use of address book data in deciding how to respond during SMTP might expose an address book-harvesting risk. I’d suggest that this was not a concern because it would only apply where domain authentication had succeeded with known good senders (not something that a botnet could usually do by itself) and even then, would only apply if the harvester had guessed a known sender + recipient pair. This appears to be too small an attack surface to worry about but, as ever with security concerns, this needs to be monitored and may need to be the subject of future work.

What defenses against IPv6 will you take?

A defensive strategy for accepting email over IPv6

Roland Turner

In general, content-based anti-spam filters need not be used for messages which have passed any of the aforementioned methods[JM1] . A particular exception is scanning for malware; clearly, it is not desirable to deliver malware even if it’s from a source that’s known to behave well, e.g. if someone’s PC has become infected and is emailing exploits or phishing emails to each of the user’s contacts.

Weaker signals might also be used to decide to accept a message subject to content-based anti-spam filters not detecting a problem. These include:

• The existence of an rDNS entry for the source IP address, the existence of a matching forward DNS entry and the use by the connecting MTA of the same name in the HELO/EHLO string.
• The connection originating from an AS, or a network within one, known to be particularly stringent in its containment of abuse. To avoid confusion, I’ll use the term “greenlisting” to refer to the listing of IPv6 addresses or networks as being allowed to connect but still subject to content-based filtering.
• The RFC5322.From domain name being registered with a registrar known to be particularly stringent in de-registering abusers. This would of course have to be done in conjunction with domain authentication as above. (This is also somewhat hypothetical, I’m not sure that any registrar is currently strict enough for this purpose.)
• Even without a domain whitelist entry, the historical behaviour of the RFC5322.From domain in sending mail to the receiver’s IPv4 service. Again, this would have to be done in conjunction with domain authentication.
• The presence of a well-formed, non-anonymized information for the RFC5322.From domain and/or the source IP address block.

These five weak signals are all a little less robust than competent whitelisting, and may have to be tried on a “sacrificial lamb” basis; however, as with the broad strategy of building on an IPv4 fallback, this is easier and safer to do than it was in an IPv4-only universe.

Readers well-versed in this field will notice that what I am describing is an implementation of the Aspen Framework that Meng Wong described in his Sender Authentication Whitepaper 8 years (!) ago. In addition to this, I’d suggest that:

• The concern about the infeasibility of IPv6-address blocklists and the certain availability of the IPv4 fallback for the indefinite future provides an opportunity to implement this approach for IPv6 receivers that never existed in an IPv4-only environment.
• The period of time that this has taken should be a strong indicator to people who blithely assume that email can simply be moved to IPv6 by mandate. Email is an unusually tough problem and progress is slow.
• Since things move so slowly, it makes incremental approaches like the one described here more valuable than they might otherwise be. (There’s little point piloting a partial approach that will be rendered obsolete when the “complete” approach arrives 6 months later. If you assume that a complete approach is many years away, then there is more to gain from the deployment of partial approaches.)

It is conceivable that this will eventually be the beginning of a migration strategy, that over time so much email will be able to be accepted on a “we know something good about this message” (rather than a “we know nothing bad about this message” basis) that it will become viable to reject outright any email about which nothing good is known. I don’t actually expect that this will be the case, but also suspect that so much will change during the parallel running of delivery-to-MX over IPv4 and IPv6 that it’s not practical to predict how delivery-to-MX over IPv4 might be phased out. The important observation would appear to be that this approach provides a production-use-ready way to start.

Tune in next week to read additional thoughts on a defensive strategy for accepting email over IPv6.