On Thu, 2005-07-07 at 09:52 -0400, Stuart D. Gathman wrote:
I've come to agree with Tony and David in a way. SPF *does* have a
"forwarding
problem" - in the same sense that the C language has a "buffer
overflow problem". There is no technical problem problem with SPF.
When properly deployed, there are no "forwarding problems". However,
the requirement for strict checking is "know your forwarders", and
this is a difficult problem for many receivers - just as ensuring
that C array bounds will not be exceeded requires careful disipline.
It is very tempting to go ahead and start rejecting on SPF fail despite not
knowing your forwarders.
Agreed. The disagreement is only with respect to the difficulty of
knowing one's forwarders. You seem to have managed to do that, while I
have only a few tens of users and cannot reasonably do so.
I don't know where they'll be forwarding mail from -- my only option
would be to force all of them to continually maintain a list of IP
addresses for their own whitelist, which would be a large technical
challenge for me and a time-consuming ongoing task for them.
Tony runs a significantly larger domain and states that it would be
basically impossible for him.
But this is not a technical problem with SPF. Since SPF offers
"relaxed" modes for both sending and receiving, which have no
requirements at all, new users should be encouraged to always
start with the relaxed modes until they thoroughly understand
the requirements for strict checking and publishing.
And I agree with this too. To pick up on John's gun analogy even though
he asked us not to (sorry) and even though Terry doesn't understand
analogies -- "guns don't kill people; people do".
The interesting questions are whether the _safe_ uses of it outweigh the
dangers of it being used unwisely, and to what extent the safe uses of
it could be managed by other, safer, means.
--
dwmw2