On Wednesday May 12, michel(_at_)arneill-py(_dot_)sacramento(_dot_)ca(_dot_)us
wrote:
I have read and understood the charter of the WG, nevertheless there are
plenty of people such as myself that look at MARID and/or SPF as cheap
ways to curb spam and/or phishing schemes, and a soft fail or a neutral
does not do any good to me.
people who think that MARID and/or SPF are cheap ways to curb spam
and/or phishing schemes are simply wrong. It isn't that easy.
MARID/SPF give you a measure of authenticity for the mail. It is not
black/white. But it is a useful shade of grey.
SPF only has real value when it says "pass" - the return address looks
valid.
When it does that, you can reliably check the address against a
white list or black list, and can return advisor messages to the address.
When it says "fail" or "neutral" or "softfail", you can add that as a
negative weight to heuristic spam filtering. The more sites that
publish reliable SPF, the more negative the weight can be.
In my mind, the only time that "!all" means anything is when it is the
only directive in the SPF entry, and hence means 'this domain never
sends mail'. In any other case, it can not be usefully distinguished
from "~all" or even "+all". They all say "That IP address gives you
no information about the authenticity of the email".
I like to look at the 32bit IP address space and see how the SPF
record divides that up. It tries to say "Yes, this is valid" for some
subset of the 32bit space.
The strength of the "Yes" is roughly inversely proportional to the
size of the space.
If the space has one or two entries, it is a very strong yes.
If it has a few hundred, it is still fairly strong.
If it has thousands, then I'm beginning to doubt it's strength.
If it has 24 bits worth of space, it is close to meaningless.
If it has 32 bits worth of space, it tells me nothing, so it *is*
meaningless. (Well, it tells me the domain wants me to accept their
email, but I guess I already knew that).
NeilBrown