In <700EEF5641B7E247AC1C9B82C05D125DA81A(_at_)srv1(_dot_)pan-am(_dot_)ca>
"Gordon Fecyk" <gordonf(_at_)pan-am(_dot_)ca> writes:
I think a fourth category may be needed: Unknown -- IPs that
are untrusted, but not necessarily bad.
Otherwise, we risk falling into the mindset that anything not
explicitly permitted is to be dropped.
Actually, that is EXACTLY the mindset that should be adopted. If we don't
adopt this mindset we might as well trust everything by default like we have
for the past fifteen+ years. Or is it twenty+ years?
The issue of whether there should be just a pass/fail, or if there
should be some levels of gray in the LMAP proposals seems to be one
that many reasonable people disagree on. I think most people agree
that the desired result is widespread adoption with generally only
pass/fail results, but there is disagreement about how to reach this
goal.
Do categories other than pass/fail encourage domain owners to
transition to LMAP and then transition into increasingly strict
enforcement? Or, do these other categories encourage domain owners to
just take the easy steps and never do anything more?
For the record, I think that the SPF categories of accept,
neutral/unknown, softfail and fail is about the right number of
categories. For the record, I don't think one camp will be able to
convince the other camp that they are wrong.
However, instead of just adding my opinion on the subject, I would
also like to add some data. Feel free to interpret them as you wish.
As many may know, there is an "SPF Adoption Roll" that domain owners
can sign up with, if they want to. These adoption rolls are
notoriously incomplete and unrepresentative, but they often provide
the only available data.
A while ago, I took a copy of the adoption roll and used it for SPF
testing. Here is a very rough breakdown of how domain owners say to
handle IP addresses that they haven't explicitly listed:
8362 domains total
7018 domains say to reject other IPs as a default
906 domains say to give neutral/unknown results as a default
404 domains say to give softfail results as a default
30 domains say to accept other IPs as a default
These numbers don't quite add up. I suspect that is because both my
grep's weren't quite right and because some have created SPF records
that specify more than one default.
The ten most popular SPF records are:
1 1097 v=spf1 mx -all
2 804 v=spf1 ip4:a.b.c.d/32 ip4:a.b.c.d/32 a ptr mx -all
3 463 v=spf1 a mx ptr -all
4 429 v=spf1 a mx -all
5 325 v=spf1 -all
6 306 v=spf1 a -all
7 171 v=spf1 +exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.example.com -all
8 131 v=spf1 include:example.org ~all
9 131 v=spf1 a mx ?all
10 130 v=spf1 ?all
(I've slightly munged the above to preserve the privacy of the SPF
adoption roll participants.)
The second most popular SPF record in the adoption roll is an example
of how one specialized web hosting company who decides to add SPF
records for all(?) of their clients can skew the results of the
adoption roll. Actually, the same goes for numbers 7 and 8.
Still, the most popular SPF record is widely used by many different
organizations. It tells us that any LMAP system that can't easily
express that the incoming mail exchanges match up with the outgoing
mail exchanges is going to be a burden for a lot of people. The
number of SPF records with -all in them shows that a lot of people are
willing to reject email from all but a very small set of IP
addresses. Number 5 says that many domains don't send email at all
and thus all email using their domain names is spoofed.
There are 204 SPF records on the adoption roll that use the exists:
mechanism with a macro variable, so a non-trivial number of domain
owners want some sort of more complex than a simple list of IP
addresses.
-wayne