Matthew Elvey wrote:
SPF is simply a way to enumerate all IPs of
MTAs using HELO do.ma.in or MAIL FROM:<user(_at_)do(_dot_)ma(_dot_)in>
The drafts claim to do a lot more than that.
The essence is PASS - INCONCLUSIVE - FAIL, and for a given
domain and SMTP dialogue any IP is in exactly one of these
sets. Yes, the drafts allow to construct per-user-policies
where the LHS can play a role, and there are a lot of more
or less useful subcategries of INCONCLUSIVE like "none",
"unknown", "softfail", "temperror", and "permerror", but
the essence is PASS - INCONCLUSIVE - FAIL.
SPF is marketed as a way to identify and discard junk email.
That's like most marketing beside the point. I'm very unhappy
if somebody markets SPF as FUSSP, because it's not. Getting a
PASS is easy, only a PASS in cojunction with white lists makes
sense. The real power of SPF as stand-alone solution is FAIL.
Spammers can avoid a SPF FAIL. That's no bug, that's the idea.
How do you define "power user", direct-to-MX maybe ?
No, see comment*.
If your definition of "power user" is "anybody with more than
one address", then my vintage '97 MUA has no problem with SPF:
I just write mails using From: nobody(_at_)xyzzy and collect it in
a file "outbox". And when I'm online I send it. My MUA then
automatically uses the MAIL FROM corresponding to the account.
Why should I say MAIL FROM:<nobody(_at_)xyzzy> when sending via
mailto.t-online.de ? BTW, even if I'd try this stunt the MSA
would automatically patch both 2821 and 2822 From.
Another MSA I've used until Nov 30 was mail2.hamburg.de, it
insisted on a MAIL FROM:<f-e(_at_)hamburg> It was impossible for
me to get it wrong (enforced submission rights, see RfC 2476).
The one relay where I have a chance to screw up supports SMTP
AUTH and then allows any MAIL FROM. But if I select the user
profile for this relay I can again send any mail in my "outbox"
with the correct MAIL
FROM:<my(_dot_)address(_at_)4th(_dot_)provider(_dot_)example>
But IMHO all this has nothing to do with a "power user", it's
obvious, you can't use your ebay password at amazon and v.v.,
even kids would understand this (after two simple tests ;-)
elvey.com has an SPF record with a ~all
Yes, ~all (SOFTFAIL) is IMNSHO a bad idea in SPF, test -all if
you want real FAILs. It worked for me (after about 4 months),
back from daily 1000 to zero bogus bounces / challenges / etc.
Bye, Frank
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg