spf-discuss
[Top] [All Lists]

Re: Should SPF be Frozen or Extensible? (XML insights)

2004-06-02 10:17:12
After thinking about it for a while, and reading the responses on extensibility, I am now starting to think it may not be such a big issue as I thought it was.

My main goal was to alter SPF enough so that we have at least, if not more, extensibility than an SPF-based one. Perhaps this is not as important to people as other factors, say, a 100% predictable behavior and an easy-to-understand failure mode.


--Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> wrote:

Mark and I went over this at some length back in November.

Basically, if a mechanism is unknown (whether it's inside an
include or not) you have a choice of aborting or
continuing.  Presently, the specification says to abort.

If you continue, you're now implicitly searching for a PASS,
so now you have to operate in degraded mode.  The
unrecognized mechanism could have returned a match or
no-match, so now the rest of the computation occurs in a
sort of superposed state.


What I was really fishing for was a way to let the domain owner control things. The existing error handling is sufficient for *most* applications. I don't think more complicated error handling helps... the "degraded mode" would still be outside the domain owner's control.


Perhaps I need to take a second look at version numbers and really think about that. If version numbers are to be a workable upgrade path, we need to come out with new version numbers often enough to support new features, but that means the people writing SPF-aware receivers need to be on board and update their code quickly.

What I don't want to end up with is a world where everyone publishes v=spf1 v=spf2 and v=spf3 records, because they want the new features but not all receivers respect them yet. I also don't want everyone to just stick with v=spf1 forever because they are unsure of the status of who is able to read what.

Once we come out with v=spf2, how will we track who is reading (and acting on) our spf2 record? Maybe some large site that already uses exists: can alter their exists record so that this number is available. Some solid data on who is using spf1 vs. spf2 will hopefully spur on the adoption of spf2 by publishers.


Here is an idea... what if we just go ahead and plan on spf2 happening whenever domain keys (or whatever new feature) is ready, and that can be a test case for whether version numbers are sufficient and how they will work in practice...


--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>