spf-discuss
[Top] [All Lists]

RE: SV: Recursion limit of 20 include/redirects total

2004-05-12 12:02:46
That is, if something is wrong, things should fall back to the way it
would be if there was no SPF record published.

Should it?  If something is designed to be fail-safe, that could also
mean the exact opposite.

Exactly my words. For me, it would be a definite failure of the system
if the receiver says "unknown" if someone forges my e-mail address. The
spec says: "If a loop is detected, enable forgeries".

I have to admit, until I had a good day to think about it, I was on your side 
of this argument. Then I realized I was confused. Basically, the problem that 
you guys are concerned about won't really exist if MTAs have sensible 
configurations (as in "following the RFC").

"Unknown" is an error state. It means that an error in the SPF information is 
preventing a correct evaluation. It does not mean "Pass". It also does not mean 
"Fail". It means "Apply the same rules to this message as you would to a None, 
but realize this is really an Error."

Sensible MTA should basically allow one of the following rules to be applied:
1. allow anything, add headers only (used before widespread adoption and during 
testing)
2. reject "Fail" (used during tentative adoption)
3. reject "Fail" and "Softfail" (also used during tentative adoption)
4. reject anything that isn't "Pass" (used after widespread adoption)

"None", "Neutral", and "Unknown" should all be treated the same by an MTA. Why 
would an MTA allow an "Unknown" when it doesn't allow a "None" or "Neutral"?

So, before widespread adoption, your "Unknown" will basically allow you to 
continue sending e-mail to most MTAs. After widespread adoption, an "Unknown" 
SHOULD cause rejections.

Obviously, all the power of rejection is in the hands of the receiving MTA, not 
the domain owner. You can't prevent theft identity of your domain from 
occurring on MTAs where the admin decides that EVERYTHING will pass, even 
"Fail"s. You also can't prevent admins from doing nonsensical things like 
rejecting only "Fail" and "None" (thereby allowing "Neutral" and "Unknown" to 
get through). Hopefully, MTAs will follow the RFC and won't allow that type of 
configuration.

This is a very bad example of error handling. Try to imagine a firewall
that works the same way as SPF does now: If some kind of
misconfiguration happens, open up all ports, disable virus scanning and
filtering, in order to ensure that all traffic passes. It surely keeps
the network connection up, but would you buy it?

Protecting domain owners from theft identity and protecting MTAs from forgeries 
are two completely distinct concepts. The firewall analogy only fits the 
concept of protecting MTAs. I obviously wouldn't buy an MTA that allowed an 
"Unknown" through after I set it to SPF rejection level #4 (from above).

I hope this all cleared up the confusion...

Michael R. Brumm