[Top] [All Lists]

Re: bogus SPF deployment survey

2012-04-30 05:41:34

ned+ietf-smtp(_at_)mrochek(_dot_)com wrote:

On Fri 27/Apr/2012 20:18:08 +0200 John Levine wrote:
Please save your time and everyone else's by *not* responding to his

You did :-)

How much time are we talking about here?  Thinking on an evolutionary
scale, it doesn't seem to be comparable to the time the experiment took.


If you want to ask questions of an audience of implementors, I suggest that you
ask them what kind of support for SPF do they provide in their products and
perhaps what they know (or don't know) about actual customer usage of those

+1, It is what I suggested, especially along the lines of known/tracked issues, perhaps security related, on the WG table. I am not sure if it means anything, but if the right question were asked, it may just help "open the minds" of others who are currently locked in certain views.

Consider that supporting SPF comes in many flavors which can as simply of adding a Domain Policy records but don't support any technical SPF logic in the server or client. There are many brand domains that don't use their domain for email and a simple:

    v=spf1 -all

defines that "NO EMAIL WITH THIS DOMAIN" policy. makes that very clear with their TXT records:

   "v=spf1 +exists:CL.%{i}.FR.%{s}.HE.%{h} -all"
   "This domain sends no email"
   "Null SPF is for tracking purposes only"
   "All mail claiming to be from is forged"

Hard fail -ALL policies are not a fallacy and a quick scan of capture DNS query in my logs should roughly 17%, but it will be different for every site what sort of domains it extracts or caters to.

IMV, the survey might include questions related to the RFC4408 REJECT-ON-FAIL vs MARK-ON-FAIL local SPF deployment option and specific to MARK-ON-FAIL, a lack of a technical specification left undefined or perhaps left open-ended by design:

   Please describe how MARK-ON-FAIL is implemented in your SPF server:

   [_] Received-SPF: fail is recorded
   [_] Authentication-Result: spf=fail is recorded
[_] SPF fail mail is quarantined into a "junk email" or similar user folder. [_] SPF fail mail is bundled with user's MUA POP3 protocol mail pickup.

and related to what may be "FAILSAFE" consideration:

   If you publish -ALL hard fail SPF policies, what do you expect
   the SMTP SPF receiver local policy FAIL result actionable
   deployment option to be:

   (_) for fail results, we always expect REJECT-ON-FAIL
   (_) for fail results, we prefer REJECT-ON-FAIL
   (_) for fail results, we always expect MARK-ON-FAIL
   (_) for fail results, we prefer MARK-ON-FAIL
[_] MARK or REJECT, we expect "negative" stored separation mail pass to user.

and strongly related :

   What kind of MUA portal access is allowed on your server?

   [_] Online MUA, i.e. Web Mail, Mobile device, i.e THIN DEVICE
   [_] Offline MUA with POP3 access,
   [_] Mixed Online/Offline MUA with IMAP access
   [_] Other

And so on.


Hector Santos
jabber: hector(_at_)jabber(_dot_)isdg(_dot_)net

<Prev in Thread] Current Thread [Next in Thread>