ietf-clear
[Top] [All Lists]

[ietf-clear] Re: Make CSV backwards compatible with legacy SPF records?

2004-12-01 15:45:27
On 11/18/2004 11:38 AM, wayne sent forth electrons to convey:

In <BDC23797(_dot_)E46D%cdhutzler(_at_)aol(_dot_)com> Carl Hutzler 
<cdhutzler(_at_)aol(_dot_)com> writes:

 

On 11/18/04 10:44 AM, "wayne" <wayne(_at_)midwestcs(_dot_)com> wrote:

   

Now, the folks involved with CSV (Dave C, John L, Doug O, etc.) claim
that checking the HELO domain against SPF records isn't as good as
doing CSV checks.  Despite having listened to them explain this, and
read their specs several times, for the life of me, I can't see why
SPF checks against the HELO domain isn't just as good.

Can you explain the difference to me?

Is this difference significant enough to justify having all your
whitelisted domains implement two very similar systems?...

If someone can explain the differences to me, I would be happy, but
the discussions on the MARID list and during the Jabber sessions lead
me to believe that, for whatever reason, I'm just not getting it.
Repeating those same explanations will probably not help me.
 

Here are some simple explanations of why checking the HELO domain 
against SPF records isn't as good as doing CSV checks.

This coming from someone who thinks it's a good idea to try (and thinks 
he came up with the idea) but recognizes it has weaknesses, which I've 
attempted to address a long time ago in this thread.  I believe 
standardizations I suggested address most but not all of them.

I. Surely, you understand that the SPF record discovery algorithm is 
inherently less efficient/more costly than CSV's.  That's obvious, no?  
How many DNS queries does it take to resolve elvey.com's SPF record to a 
list of IPs?  A dozen or so?

II. Here are some simple, concrete examples of where checking the HELO 
domain against SPF records isn't as good as doing CSV checks.
 1)The domain owner used an SPF wizard (M$' or pobox's) to create an SPF 
record. The wizards are buggy.  They don't take steps to ensure that the 
owner creates an SPF record that will match the HELO domains his servers 
use.

 2)The SPF record contains ?all, or ?ip4:.  We need a standard that 
defines whether these should be ignored.  (IMO, yes)

 3)The SPF record contains +all.  We need a standard that defines 
whether this should be ignored. (IMO, yes)

 4)The SPF record contains +63.0.0.0/5, or +63.0.0.0/8, or +63.0.0.0/16 
or +63.0.0.0/24.  We need a standard that defines whether these should 
be ignored. (discussed earlier in this thread.)
 
 5) Because of issues such as 1-4, and others, a CSV record is more 
amenable to being the basis of accreditation and reputation.

III. SPF provides no mechanism for determining how to determine a 
domain's reputation. CSV does.

Note, there are other *important* differences (SPF checks against HELO 
are  inherently much more vulnerable to DNS security attacks than CSV; 
the meaning of "checking the HELO domain against SPF records" is vague; 
a CSV record is more amenable to being the basis of accreditation and 
reputation ...)  IMO, a relatively readable explanation of some of these 
objections and more can be found at:
http://www.csvmail.org/email-authentication-summit-comments-P044411.pdf 
, but it's not as clear as I. - III.