On Feb 26, 2004, at 2:54 PM, David Woodhouse wrote:
On Thu, 2004-02-26 at 13:10 -0500, Laszlo Toth wrote:
I see some big vendors such as CypherTrust now offering SPF
and am wondering if this is really safe to purchase and use in the
corporate
environment. Any comments or links to documents with the summary of
the
where SPF stands would be appreciated.
Policy decisions are, of course, something which you have to make for
yourself.
For what it's worth, and at the risk of sounding confrontational given
the forum, I have to admit I recently considered this and decided that
I
couldn't, in good faith to my users, either publish or 'obey' SPF
records.
Your argument not to publish is very legitimate, while your argument to
not obey is not. In fact, your argument to knowingly not obey is
encourages and facilitates fraud.
The concept of SPF is based on the assumption that no hosts out there
legitimately forward email without changing the sender address. That
assumption is not valid in the general case, at the present time.
Here is where I disagree. I think that obeying SPF is not only safe,
but responsible.
omniti.com provides the SPF record it does intentionally. (as do all
SPF publishers). In my record, I deny the right to any system (other
than ours) to use my domain in their return path -- that includes
remailers. If you don't want to respect my records because you can't
yet implement SPF or don't want to because it isn't "in final form"
that is fine. But if you don't want to respect my record because you
don't agree with my right to prohibit you as a remailer to use that
domain directly in your envelopes, then you are fraudulent. That is,
after all, the entire purpose of SPF.
Assuming you default to "?all" SPF is _perfectly_ safe to follow
because those published records are, in no uncertain terms, the wishes
of the owner of that domain. If the owner that domain has your
concerns, then they should delay publishing records. The fact that
they are published informs you that they have evaluated the costs and
benefits of SPF publishing and decided to publish.
There are schemes (SRS) proposed to work around this flawed assumption
by making it true, but they need to be implemented by every forwarding
host on the Internet before the assumptions of SPF become generally
valid.
It is not a flawed assumption. SPF and the records I (and everyone
else) publish are valid regardless of their impact on remailers.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth