[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Andy
Sent: Thursday, December 09, 2004 2:04 PM
Subject: RE: [spf-discuss] Agenda item: SenderID Position Statement
On Wed, 2004-12-08 at 10:46, Scott Kitterman wrote:
Right. Option 3 is leave your v=spf1 record as it is and also publish
This should opt you out of PRA without affecting mail from evaluation
(whether it's sender-id or SPF).
The problem with opt-out is believing that that is all you need to do.
It _is_ a simple fix avoid Microsoft's implementation of PRA to do
that. But that doesn't actually fix anything, because people who are
abusing the records can and will continue to abuse them. That is the
nature of abuse. If you use the PRA opt-out record to avoid abuses of
your SPF record, what is to stop someone from abusing the PRA opt-out
record and end up ignoring it? There is no technical fix for this kind
of abuse. The social fix is to standardize (via published documents)
the valid uses, so that when abuse occurs, it is unambiguous who is
doing the abuse and how it is occurring. There will be something to
point to so you can say "it says right here that SPF records MUST only
be used in these situations".
The valid uses of SPF records should be outlined and something should be
Use of SPF records for any other purpose is not guaranteed to
yield predictable results or results that the domain owner
condones. This includes checks of SPF records performed at
times other than during mail submission or by software that is
not directly accepting email from another system. Only software
classified as MTAs, and in many cases only those MTAs that are
on the edge of the local network, should perform checks against
the SPF record.
It was recently pointed out to me (on this list) that
overturning/overriding previous(ly deployed) standards is more difficult
than just coming up with something new. In other words, if SPF says
"don't use me for anything else", trying to piggy-back something
different on it will be an uphill battle.
If the SPF standards documents say something like the above, then all
implementations of PRA against SPF records will be at fault -- which is
exactly what we want. This doesn't, in the end, stop someone from
completely diluting the utility of SPF through abuse, but at least it is
documented that it was diluted through abuse, deliberate
misinterpretation (of the standard), and/or cowboy freewheeling antics.
That is, we can rightly say "SPF is not at fault for your losing email,
that product you are using is not following the standard".
I think all that makes a lot of sense. We ought to do that.
I don't like the opt-out approach either, but I was just trying to be
I believe we have seen a couple of cases of e-mails rejected due to PRA
failures against v=spf1 records at the spf-help RT, but it's difficult to be
sure. While we do need to do the standards work you suggest, we also need
to deal with the reality of what's going on.
Don't forget that one way to avoid Sender-ID PRA failures is to delete your
SPF record. I'd prefer that people pick some other option.