In <002e01c3f61d$6c42afa0$6401a8c0(_at_)FAMILY> "Hector Santos"
<winserver(_dot_)support(_at_)winserver(_dot_)com> writes:
In my view, SPF should be about one thing; gaining a high trust
query result: NONE, PASS or FAIL. A system who wishes to support SPF
should do so with a failed fallback as the only acceptable format. A system
that offers a NONE or PASS result still requires additional logic to
validate the sender. While migration should be consideration, it MUST be
strongly stated that a SPF system with a softfail result offers no value in
the sender permitted framework. It should noted that SPF clients will view
softfail sites as a system with no trust. Note, this does not suggest that
a softfail recording should not be made or that it could not be used as a
weight for decision making. It simply says that softfail does not offer any
value in validating a system thus it is highly discouraged.
SPF is about communicating between the domain owner, and people who
receive email using that domain. There is not, and can not be, any
strong enforcement here. Domain owners can not force email receivers
to do anything with the SPF records, nor can email receivers force
domain owners to publish SPF records.
As such, you can do anything you want with the SPF records. There are
things that will make things better or worse.
In my humble opinion:
If you are looking for just a pass/fail system, pass everything except
for fails.
If you want to use RHSBLs reliably then use only those that pass or
softfail.
If you want to add a message to the emails that softfail, that would
be great. If you can't, don't worry about it.
If you want to do some sort of spam scoring system, then softfail
should probably be ranked lower than neutral.
Neutral, none and unknown REALLY REALLY REALLY needed to be treated
the same and you should do the same thing you did before SPF existed.
If these three are not treated the same, then domain owners will be
scared to publish SPF records at all.
My
preference is that it removed from the SPEC so that a huge database
of softfail systems do not accumulate over time. It offers absolute
no value whatsoever.
I disagree with this assesment. Remember, we can't force domain
owners to publish SPF records. It is my opinion that the jump from
neutral to fail is too large. Large companies/ISP need to be able to
give their users some warning before they switch from neutral to
fail. While memos and such can help, automated systems that add
warnings when a softfail is detected can play a very important part.
While I don't want to see a huge database of softfail systems to
accumulate, I strongly believe that if softfail didn't exist, people
whould simply continue to use neutral and never switch to fail.
-wayne