On Wed, 2004-12-08 at 09:18 +0000, Chris Haynes wrote:
I hesitate to (re-)enter this thread, and, once again, I'm trying to be fair
and
understand the substantive basis for concerns..
_You're_ trying to be fair? I actually found myself defending SPF
slightly :)
Since the purported sender has repudiated the message, the argument goes, the
original SMTP 'contract' to "deliver or bounce" is null-and-void, since
whoever
actually injected the message did so without the authority of the domain they
cited. Therefore it is acceptable to 'silently discard' such messages, and
not
send bounces.
If SPF (or indeed anything) is checked by a receiving site, it should
cause a _rejection_. Neither 'silently discard' nor 'send bounces' is
acceptable behaviour. If the recipient doesn't like the mail, it
shouldn't accept it in the first place.
Sending bounces is obviously bogus, if you think it didn't come from
that reverse-path in the first place. Silently discarding it is also
bogus since SPF has too many false negatives and you'd be throwing away
valid mail without even letting the sender know you did so.
By rejecting mail at SMTP time, you cause the majority of the spammer
zombies to move on to the next address without comment, and the genuine
forwarder to send a bounce.
Or is there some other mechanism within SPF which accounts for your '100%
blowback' concern?
Personally I don't agree with Dean's 'blowback' concerns; I don't see
that SPF makes it any worse than any other scheme which would reject the
same mail. But I'm not going to argue any more in favour of SPF :)
--
dwmw2