On Tue, 2005-07-05 at 02:12 -0400, Scott Kitterman wrote:
I suppose if missing means not delivered, that's true. If missing means
something like lost, I don't see it. I've had a -all record for about a
year now and have not seen any significant negative impact.
I've gotten an handful of SMTP rejections. After those I knew the message
was undelivered (nothing was missing by any usual definition of the word)
and I was able to deal with it.
I don't make a distinction between 'not delivered' and 'lost' because in
the general case a large ISP can't make that kind of distinction. Users
are often not capable even of reading bounce messages and understanding
basic concepts like "user unknown", let alone interpreting an SPF-caused
failure. Have you never made someone read a bounce message to you over
the telephone and then just paraphrased it back to them?
The effect when the ISP starts publishing SPF records with '-all' is
that users suddenly start finding that some of their outgoing mail isn't
getting through, and blame the ISP.
The effect when the ISP starts _honouring_ SPF 'fail' results by
rejecting mail is that users suddenly start finding that some of their
_incoming_ mail isn't arriving, and blame the ISP.
Anyone particularly worried about this edge case (and in my experience,
which may not be typical it's a very small one) can add
?include:spf.trusted-forwarder.org to their SPF record and avoid forwarding
related failurs for a large fraction of the mail forwarders out there.
'Large fraction'? There are currently about 60 sets of hosts listed
there -- is that really a 'large fraction' of all the hosts out there
which are involved in virtual domain hosting? How many companies are
there which will register your domain for you and then forward its mail
to addresses you specify? I wouldn't call 60 a 'large fraction' of that
number.
Some senders may, "publish SPF records with '-all' and say 'you should trust
the recipients not to honour SPF if there's a forwarding problem'". I
understand that there are edge cases where SPF doesn't work and I'll deal
with the consequences. Feel free to reject failures from my domain. I'll
work with it.
That's true for yourself, but larger companies who are paid to provide
email service would find it a much harder decision. It you're paid to
provide reliable email service, it's much harder to just say "Feel free
to reject failures from my domain" in the knowledge that this will
include valid mail sent by paying customers.
I think the benifits are worth the minor inconvenience
associated with these edge cases.
Perhaps -- but again, others don't see those same benefits. My users
certainly wouldn't -- BATV already gets rid of just about _all_ the fake
bounces, and also allows recipients who use SMTP callouts to reject joe
jobs _without_ much risk of losing valid mail. What further benefit
would SPF '-all' provide on top of that?
Note that I'm saying it works for me, not that AOL or Verizon or anyone else
should immediately switch to -all.
Right. Such people really would need to wait for SRS to become
ubiquitous before they could sanely consider such a move. Again, I say
'sanely' because they can _always_ do something stupid like banning all
non-US hosts, etc.
As far as I can tell, SRS isn't going to become part of default
configuration of common mailers any time soon. It's still not even
supported at all by most of them in the default build -- if you want it
you have to rebuild the MTA or install extra software.
When RFC2821 is updated and mandates SRS-like behaviour, perhaps that
will change. That's the main problem for SPF deployment en masse.
--
dwmw2