On May 3, 2008, at 4:01 PM, Frank Ellermann wrote:
John Leslie wrote:
My personal inclination is to declare "guessing" out of scope for
returning DSNs. We already know that not every domain wants them.
Declaring that one MUST send them even when the receiving domain
has not expressed an interest in receiving them leads to known
problems _today_. It would be good, IMHO, to have a clear way to
declare an interest in receiving them, or _not_ receiving them
That is a solved problem for senders and receivers participating in
SPF, a PASS means "yes, please inform me about delivery issues as
specified in 2821bis".
A FAIL means "please reject at your border, a (wannabe) originator
as indicated in the reverse-path is likely not the real originator,
and where that is not the case it is a problem to be solved by the
hop before you (forwarder or simply an erroneous policy), not your
No guessing involved for PASS and FAIL.
Mention of SPF should be accompanied with security admonishments not
to expand evaluation macros. The sequence of transactions that might
be needed to retrieve SPF authorization lists may not end guessing,
since these lists are often incomplete and allow NEUTRAL or SOFT-FAIL
results. Such results are easily exploited. SPF's use of generic TXT
records at base domains is unlikely to completely transition to the
service specific resource record, and will conflict with future
protocols and revisions.
Since a large percentage of domains accepting SMTP connections already
publish MX records, expecting MX for acceptance eliminates publishing
or retrieving other SMTP related records within sub-domains lacking MX
records. Such an expectation offers domains not publishing MX records
substantial protection from undesired connections and subsequent DNS
transactions otherwise necessary to support SMTP and various SMTP
extensions. In addition, invalid return-paths can be immediately
deduced within a single transaction. The transmitter of the message
must be expected to offer succinct evidence of a valid return-path.
Transactions pertaining to acceptance of anonymous initiations of
personal messages should be limited to domains publishing resource
records explicitly supporting the exchange protocol. This practice
become increasingly important to limit the level of undesired traffic
expended by a distribution of receivers. For SMTP, the resource
record would be MX.