Roger Moser wrote:
196 SPF records (about 75%) had '-all'.
There has been a lot of discussion about the "-all" lately on the list.
A few have said that until SRS is adopted -all should be taken with a
grain of salt. I seem to have a different point of view.
SPF is about publishing policy. -all means that no one can use my
domain in their return path but those I delegate (my machines). This
includes forwarders. There is a principle involved here. You have to
_believe_ that forwarders should take direct responsibility over the
return path of the emails that choose to retransmit.
Realizing that the SMTP RFCs mentions nothing of this and it is
perfectly valid (and commonplace) to use the unmodified return path when
forwarding mail, one must make a "leap" and say "the system is to
trusting, we must make change." One of these changes is enabling a
mechanism to protect your return path.
The argument that it breaks forwarders is not a good one. What's the
difference between a forwarder and a spammer? They both lie outside the
control of the domain owner. While a forwarder might be "trusted", that
idea is flawed as well. Spammers will just focus on compromising
machines on the those forwarders networks.
I see people using SPF -all as "taking a stand" against the way
forwarding is deployed now. They're saying that while current
forwarding is not in violation of any RFC, it is mechanism that requires
more trust than the current Internet can offer them a foundation for.
The mechanism is antiquated.
The Internet is a place where "my network, my rules" has reigned supreme
for a long time. SPF is simply a mechanism for saying "my domain in a
return path, my rules."
--
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth