ned+ietf-smtp(_at_)mrochek(_dot_)com wrote:
On Fri 27/Apr/2012 20:18:08 +0200 John Levine wrote:
Please save your time and everyone else's by *not* responding to his
message
You did :-)
How much time are we talking about here? Thinking on an evolutionary
scale, it doesn't seem to be comparable to the time the experiment took.
...
If you want to ask questions of an audience of implementors, I suggest that you
ask them what kind of support for SPF do they provide in their products and
perhaps what they know (or don't know) about actual customer usage of those
features.
+1, It is what I suggested, especially along the lines of
known/tracked issues, perhaps security related, on the WG table. I am
not sure if it means anything, but if the right question were asked,
it may just help "open the minds" of others who are currently locked
in certain views.
Consider that supporting SPF comes in many flavors which can as simply
of adding a Domain Policy records but don't support any technical SPF
logic in the server or client. There are many brand domains that
don't use their domain for email and a simple:
v=spf1 -all
defines that "NO EMAIL WITH THIS DOMAIN" policy.
altavista.com makes that very clear with their TXT records:
"v=spf1 +exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com -all"
"This domain sends no email"
"Null SPF is for tracking purposes only"
"All mail claiming to be from altavista.com is forged"
Hard fail -ALL policies are not a fallacy and a quick scan of capture
DNS query in my logs should roughly 17%, but it will be different for
every site what sort of domains it extracts or caters to.
IMV, the survey might include questions related to the RFC4408
REJECT-ON-FAIL vs MARK-ON-FAIL local SPF deployment option and
specific to MARK-ON-FAIL, a lack of a technical specification left
undefined or perhaps left open-ended by design:
Please describe how MARK-ON-FAIL is implemented in your SPF server:
[_] Received-SPF: fail is recorded
[_] Authentication-Result: spf=fail is recorded
[_] SPF fail mail is quarantined into a "junk email" or similar
user folder.
[_] SPF fail mail is bundled with user's MUA POP3 protocol mail
pickup.
and related to what may be "FAILSAFE" consideration:
If you publish -ALL hard fail SPF policies, what do you expect
the SMTP SPF receiver local policy FAIL result actionable
deployment option to be:
(_) for fail results, we always expect REJECT-ON-FAIL
(_) for fail results, we prefer REJECT-ON-FAIL
(_) for fail results, we always expect MARK-ON-FAIL
(_) for fail results, we prefer MARK-ON-FAIL
[_] MARK or REJECT, we expect "negative" stored separation mail
pass to user.
and strongly related :
What kind of MUA portal access is allowed on your server?
[_] Online MUA, i.e. Web Mail, Mobile device, i.e THIN DEVICE
[_] Offline MUA with POP3 access,
[_] Mixed Online/Offline MUA with IMAP access
[_] Other
And so on.
--
Sincerely
Hector Santos
http://www.santronics.com
jabber: hector(_at_)jabber(_dot_)isdg(_dot_)net