ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Unintended consequence of SPF

2006-03-17 11:23:36
from [william(at)elan.net] [Permanent Link] 

On Fri, 17 Mar 2006, John Levine wrote:


submission turns into an E-mail submission with a From: which is filled in
to look like a request from your own E-mail address.



I can't fathom why anyone would think that is a useful question. It
is a practice that leads inevitably to bad outcomes.


Only if implemented by nitwits.  I have web sites that do more or less
the same thing, submit a request by e-mail, but I take care that the
mail can be delivered like it's supposed to.

In this case, the problem is that the recipient system is using a
broken authentication scheme that rejects useful mail that it should
accept.  Fans of SPF keep trying to redefine SPF's failure cases to be
the fault of people who send mail in ways that SPF can't handle,
rather than as a failure of SPF.


John,

I know you don't like SPF, but you're missing the point here.

SPF is a policy record. If somebody does not want email listed as
originating from them (or listing their address for bounces if
you like) being sent in certain way where their system is not
original of such an email, they specify such a policy.

This does not account for some cases which are valid valid in
current email architecture, but similar would happen for DKIM
when somebody is using SSP and puts restrictive record there and
then email goes through mail list - this is a valid case that
DKIM would not be able to account.

You on the DKIM list seem to be arguing that SSP is not needed
(or is harmful, although I'm not sure you ever went that far
publicly). You're obviously entitled to that opinion which is
probably based on the possibility of such failure case, but I do want
to note that some want such policies (to prevent their domain from
being abused i.e. phishing) and if we put parrallels to SPF. you
should notice that SPF does not have to be used with restrictive "-all" policies either and could be used with record ending with "?all" 
which would have similar effect to DKIM being used without SSP.

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Unintended consequence of SPF, Bart Schaefer
Next by Date:  Re: [Asrg] Unintended consequence of SPF, John Levine
Previous by Thread:  Re: [Asrg] Unintended consequence of SPF, Bill Cole
Next by Thread:  [Asrg] Re: Unintended consequence of SPF, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]