Re: [Asrg] ipv6 macro expansion example in SPF specification, DNS ranges

On Mon, Jan 24, 2011 at 5:37 PM, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> 
wrote:
> On 1/24/11 12:53 PM, Dotzero wrote:
> > On Mon, Jan 24, 2011 at 2:52 PM, Douglas 
> > Otis<dotis(_at_)mail-abuse(_dot_)org>
> >  wrote:
> > > There was general consensus at MAAWG, SPF does not serve as a basis for
> > > mitigating spam.  Use of SPF was limited to determining which reputation
> > > services currently list an SPF authorized IP address when handling
> > > complaints, or whether the authorized IP address can be included in
> > > feedback.  This expects SPF records will resolve specific IP addresses.
> > >  This is not necessarily true, nor is it always safe to assume a domain
> > > controls the authorized IP addresses.
> > Doug, I'm not sure that you are correct when you state that there was
> > a consensus for what you describe above. There WAS a consensus that
> > many mailbox providers are not using SPF exactly the way that many
> > originally expected.
> >
> > For example, many do not automatically use a hardfail as a basis to
> > reject mail or discard. The breakage on forwarded/relayed/vanity/lists
> > is in many cases too painful for both sending domains and mailbox
> > providers (think complaint handling/customer service costs).
> >
> > Instead, many mailbox providers are considering SPF results in
> > conjunction with DKIM results in a combination whitelist/blacklist
> > approach. For example, if I get an SPF pass on a record that ends in
> > -all and/or I get a DKIM pass on a first party signature then I have a
> > high confidence level as to where the mail came from at either the
> > transport layer or the message layer. If I have both then I have an
> > even higher confidence level. This does not speak to the "goodness" or
> > badness" of the domain, only relationship to the domain.
> >
> > On the other hand, if a domain is publishing a record ending in a -all
> > AND consistently DKIM signing (even in the absense of an ADSP record
> > although an ALL would be useful), we can have a high confidence level
> > of minimal false positives (that is, legitimate mail that is rejected
> > or discarded) if we throw away mail that fails both SPF and DKIM
> > checks.
> >
> > This does not necessarily presume that a mailbox provider is looking
> > at external reputation services.
> Mike,
>
> An SPF failure can not be trusted to be an indicator of spam.  DKIM signing
> is almost never assured, especially when handled by third-party services.
>  As such, these mechanisms failing alone or together still do not offer a
> safe basis for rejection.  Of course both passing means nothing as well.
Doug, there are plenty of people with real world operational
experience that would disagree with you.  You state that failing means
nothing and passing means nothing. If that is true, why are there a
significant number of implementers using this approach successfully?
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg