On Thu, Jun 24, 2004 at 10:33:10AM -0400, spf(_at_)kitterman(_dot_)com wrote:
|
| verizon.net. 86400 TXT "v=spf1 ip4:206.46.170.0/24 ip4:206.46.128.33
| ip4:206.46.128.101 ip4:209.84.13.21 ip4:209.84.13.20 ?all"
|
| I will have include:verizon.net in my spf record.
|
| Now, anyone who is also a Verizon customer can successfully forge my domain
| and get an SPF pass.
They don't do SMTP AUTH? Shocking! If they did, they would
know exactly who was doing the forging, and you could sue them.
The initial design assumption was that having a paper trail
within a single organization was a "good enough" first step
to deter basic return-path forgery.
| It seems to me that there is another level better than pass that we might
| want to assert. Pass means the sender is permitted. "Authoritative Pass"
| (my term for the next level) would mean that the MTA is permitted and the
| domain owner will take responsibility for any e-mails from that MTA, because
| only authorized domain users can send e-mail from that MTA.
|
| This "Authoritative Pass" would be used by individuals and organizations
| that run their own MTAs. People like me who rely on shared infrastructure
| would use the current pass.
|
| I think this would be a win/win.
| Entities that control their own MTA would get a way to assert an even higher
| confidence level that could be used to inform receiver policies.
|
| Entities using a shared MTA would be less likely to be disadvantaged by
| receivers trying to hold them accountable for messages they didn't send.
I am not clear about what the functional difference is
between an authoritative pass and the regular pass.
Maybe you want to do v=spf1 +mymta ?include:verizon.net -all
| Of course, many groups will use a mix of the two.
|
| The more I look into how e-mail gets sent from my domain, the more nervous I
| get about trying to fully describe it in an SPF record. Did you know that
| when you mail an article from the CNN web site it comes from "Received: from
| localhost (HELO relay.clickability.com)"?
what do they use for the return-path?