On Fri, Dec 31, 2004 at 02:47:53AM -0800, Greg Connor wrote:
--Øyvind Henriksen <oyvind(_at_)increo(_dot_)no> wrote:
If any user logged on to their network is allowed to send mail out as
anybody (meaning they don't allow third-party relaying, but they don't have
any real anti-forgery protection on outgoing mail) then include is not
really what you want. Include says "Yes it really was this person" -- in
other words, we completely trust that ISP to not allow forgeries. If a
message from "online.no" *MIGHT* be from the legitimate user, but also
might be forged, don't put include:online.no -- put ?include:online.no
instead. That way if the check of "online.no" against the current IP
results in a PASS, then the ultimate SPF result for the customer's domain
would give back a "neutral" or "I don't know" response. ?include is great
because it allows you to put -all at the end more often and with less
problems -- but if you're putting ?all at the end instead of -all then
?include doesn't add value.
I think you're falling into the trap of perverting the meaning of SPF,
as many others seem to be doing these days.
An SPF PASS is supposed to mean "The host that sent this mail is authorised
to send mail claiming to be from this domain", not "you can trust that the
user who this message claims to be from really sent it". Neutral was
supposed to be for hosts which might conceivably someday really send mail
from this domain, but you're not sure. i.e. that while you don't really
expect or want those hosts to send mail claiming to be from your domain,
you might not be able to avoid it for now.
That would include e.g. dynamic IP pools from your users' home ISPs that
you'd really rather they didn't use, but aren't able to move the users over
to you SMTP AUTH system just yet.
If on the other hand it is known that a particular IP will legitimately
be sending mail from your domain and this is an intended method for your
mail to get out, it should get an SPF PASS, irrespective of what auth
they do. Your domain should then get an appropriately bad reputation if
that IP sends out dodgy mail.