spf-discuss
[Top] [All Lists]

500 errors, civil disobedience, and encouraging wide SPF adoption

2004-03-17 22:43:39

It was observed recently (I think) on this list that the semantics of
usage are in some sense stronger than the semantics of denotation.

In particular, it was asserted that contrary to RFC2821, the address
in the "MAIL FROM:" smtp command is not who the mail is from so much
as who DSNs should go to.

There is certainly an element of truth in this, and I would like to
take the idea a bit further and apply it to SMTP status codes, and in
particular the status code returned after the ".<CRNL>" which
terminates a DATA command.

One could argue that the operational reality is that an error code of:

  2xx means "message understood. No immediate reply"
  4xx means "please resend later"
  5xx means "message understood. Please return this reply"

It is really up to the MTA whether it does anything else with the mail
message in any of these cases, and in particular it might choose to
successfully deliver the message after returning 5xx (just as it might
choose to dump a message after a 2xx if it turned out to be pure virus).

The returned reply in the 5xx cases is sometimes wrapped up in 
negative sounding words like "failure" and "undeliverable", but
sometimes it is much more neutral: "Returned mail: see transcript for
details."

This could be leveraged to warn people that their mail might be
rejected due to SPF non-compliance and thus spread awareness and
adoption of SPF.  I wouldn't recommend doing this (much) before SPF
had reached a suitable stage in the IETF process (maybe Draft
Standard), but it might be worth discussing it now.

One example where I feel it would be particularly useful is on
receiving a message where we aren't confident enough of its badness to
reject it, but we also aren't confident enough of the envelope-from to
be comfortable sending a DSN if it turns out there is a failure later
on in delivery.

In that case one might respond to the '.' terminating DATA with

  555-Message accepted for conditional delivery.
  555-Due to lack of a reliable return address, subsequent failure
  555-will not be reported.
  555 See http://what.ever/555.html for more details

This would make it easy to inform the wider populace about SPF,
particularly targeting the people who need it.

In the early days, it might be appropriate to randomly return this
instead of "250" in (say) 5% of cases, growing to 100% of cases 12
months after SPF becomes a standard.

One problem with this is forwarding services which don't do SRS yet.
We really want to annoy the forwarded, but this will annoy the
innocent sender.  Possibly some simple analysis of the headers of the
message would allow a more relaxed acceptance of forwarded mail.

Thoughts?

NeilBrown


<Prev in Thread] Current Thread [Next in Thread>