ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

The problem with Unified SPF

2004-06-30 13:21:49
from [Roy Badami] [Permanent Link] 


OK, here's what I see as the probems with Unified SPF (as I understand
the proposal) as compared with using SenderID in conjunction with
CSV/CSA.

1. Unified SPF encourages (but doesn't require) the same check to be
   made on the HELO as on other identities.  If this is how it is
   deployed in practice, it will lead to unnecessarily lax checks on
   the HELO, which will reduce the effectiveness of the HELO check.

   A complex SPF record may reference many different providers,
   whereas a particular HELO string will typically come from a
   specific MTA.  The big problem though is when an SPF record ends in
   ?all or ~all.  It is counterproductive to encourage people to use
   this same record for HELO checks.  You may not know all the MTAs
   that might sometimes originate mail for your domain, but HELO
   strings typically identify individual MTAs, and you almost
   certainly know the exact list of IP addresses in use by a specific
   MTA under your control.  Encouraging people to relax the HELO check
   just because they don't feel comfortable with a strict PRA (or MAIL
   FROM) check is undesirable.

2. It's not clear that unifying them (in the sense that I understand
   is intended by Meng Weng Wong) makes much sense, given the set of
   valid identities is typically disjoint.  Ignoring for a moment the
   fact that a HELO identity is a domain, whereas a PRA or MAIL FROM
   is a mailbox, even the domains used are typically disjoint.

   If example.com is a domain that occurs in the PRA and MAIL FROM, it
   typically won't be a valid HELO identity.  Conversely,
   mx1.example.com might be a valid HELO identity, but is unlikely to
   be valid as part of a mailbox.

   Unifying the proposals syntactically may make sense -- ie using a
   (subset of) SPF syntax for the CSV/CSA records.  I remain to be
   convinced that unifying them semantically is sensible.

3. The models of reputation and accreditation are different.  One is
   the reputation of a domain, the other is a reputation of a host.
   It's not clear to me that both of these reputation services will be
   provided by the same set of providers, so if you're going to try
   and use a single record for both purposes, you probably want to be
   able to select separate sets of reputation services for the HELO
   identity and the PRA/MAIL FROM identities, in order to avoid
   redundant quieries to the 'wrong' providers.  This _could_ be done
   with a single record, but given (2) above, this starts looking
   unnecessarily messy to me.

   -roy
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Differences between CSV and Sender-ID, Douglas Otis
Next by Date:  Re: Differences between CSV and Sender-ID, Hector Santos
Previous by Thread:  CEAS Conference on July 30-31, John R Levine
Next by Thread:  The problem with Unified SPF, Roy Badami
Indexes:  [Date] [Thread] [Top] [All Lists]