spf-discuss
[Top] [All Lists]

RE: SV: Recursion limit of 20 include/redirects total

2004-05-12 14:12:10
"Unknown" is an error state.

In that case we need to introduce something new - because Unknown is also
used as the state "unknown", which is something completely different than
an error state. In case of an error, the system should bounce the e-mail
or reject it somehow, whereas a genuine unknown state should make the
e-mail pass somehow, because most e-mails today will have the unknown state.

I'd re-read the RFC. "Unknown" is always an error state. "None" means the 
domain has no SPF record. "Neutral" means the SPF record didn't evaluate to a 
"Pass" or a "Fail".

You seem to assume that all SPF filtering is done during SMTP negotiation.
This is not the case. Our biggest mailserver, which carries 70000+ recipient
e-mail addresses, doesn't even reject based on invalid recipients.

My statements made no reference to when the filtering was done. By "reject", I 
meant either during SMTP (good), NDR (bad), or delete (ugly).

So, before widespread adoption, your "Unknown" will basically allow
you to continue sending e-mail to most MTAs. After widespread adoption, an
"Unknown" SHOULD cause rejections.

You're saying that it's the implementation that decides what to do in the
case of an error... why? Why shouldn't it be the SPF record publisher, who
decides what to do in case of an error? Please explain...

I'm saying that the RFC says that an "Unknown" should be *treated* the same as 
a "None" or "Neutral". And, that all three should be filtered/rejected the same 
way.

This is because during testing (and before widespread adoption), things are 
bound to be misconfigured and in an error state, and great leniency should be 
given. After adoption, all three should be filtered/rejected (along with "Fail" 
and "Error", although "Error" SHOULD transiently reject).

This is basically what you want, right? You want "Unknown"s to cause 
rejections, right? Well, then re-read the RFC! That is what is going to happen 
after widespread adoption.

*** Obviously, this assumes that:
1. MTAs will follow the rejection rules I outlined previously (which I believe 
are a correct interpretation of the RFC).
2. Admins actually set their MTAs to reject non-"Pass"es after widespread 
adoption.

Michael R. Brumm