Currently, the possible prefixes are:
+ pass
- fail
~ softfail
? neutral
Pass means that the MTA is a designated sender for the domain. For those of
us that don't run our own MTAs, there is always the possibility of someone
else forging our domain using that same MTA (it's not just statistics, we've
told everyone where to go to try and do the forgery). For example, if I use
the Verizon (not picking on Verizon here, just an example) smtp
infrastructure:
verizon.net. 86400 TXT "v=spf1 ip4:206.46.170.0/24 ip4:206.46.128.33
ip4:206.46.128.101 ip4:209.84.13.21 ip4:209.84.13.20 ?all"
I will have include:verizon.net in my spf record.
Now, anyone who is also a Verizon customer can successfully forge my domain
and get an SPF pass.
It seems to me that there is another level better than pass that we might
want to assert. Pass means the sender is permitted. "Authoritative Pass"
(my term for the next level) would mean that the MTA is permitted and the
domain owner will take responsibility for any e-mails from that MTA, because
only authorized domain users can send e-mail from that MTA.
This "Authoritative Pass" would be used by individuals and organizations
that run their own MTAs. People like me who rely on shared infrastructure
would use the current pass.
I think this would be a win/win.
Entities that control their own MTA would get a way to assert an even higher
confidence level that could be used to inform receiver policies.
Entities using a shared MTA would be less likely to be disadvantaged by
receivers trying to hold them accountable for messages they didn't send.
Of course, many groups will use a mix of the two.
The more I look into how e-mail gets sent from my domain, the more nervous I
get about trying to fully describe it in an SPF record. Did you know that
when you mail an article from the CNN web site it comes from "Received: from
localhost (HELO relay.clickability.com)"?
Scott Kitterman