-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 25 June 2004 08:58 am, spf(_at_)kitterman(_dot_)com wrote:
+ pass
- fail
~ softfail
? neutral
> permitted
I think this added level of granularity would strengthen SPF and make it
significantly more useful for those of us who are (and will remain)
dependent on outsourced MTA services.
Scott,
I'm sure that Meng may have touched on some of the things I am going to say,
but I don't think you quite understood the essence. The bottom line is that
what you want to do is beyond what SPF is trying to do.
SPF is only trying to answer the question: Do legitimate emails for this
domain come from this server? That's a bit different that the usual
wording: Is this server authenticated and authorized to send email for this
domain? But you'll note that the two statements are essentially the same.
Right now we have:
+ = Pass, or "Yes, this server is authorized to send email for that domain."
? = Neutral, or "I don't know, I can't tell, or there's not enough info."
~ = Softfail. "Probably not. We're not really sure yet where our email goes
through, but we are definitely sure that it is or isn't these other
servers."
- - = "No, this server is not authorized."
Now you are proposing to add a new one:
= Permitted. "Some of the mail this server sends is for that domain."
The "permitted" answer is fundamentally the same as the "pass" answer. Let
me explain why.
Consider the case of Verizon. They have hundreds of email servers shuttling
mail around for millions of customers, let's say. They also send mail for
you. You have to tell people that mail from you will be coming through
Verizon. People realize that a lot of other mail comes through Verizon as
well. A lot of this mail may be spam. It may be joe-jobs or phishing scams
as well. It may or may not be your email even though it claims to be.
No one claims that ALL mail coming through Verizon is your mail. That isn't
even true for a company like Amazon. I don't think it is true for most
people. That's just not the way email works.
So the "PASS" result for SPF means that the server is authorized to send
mail for your domain, not that a particular message is from your domain.
You want a way to tell people, "Hey, this particular piece of mail that went
through Verizon is mine, but that one isn't." I think that's what you
really want in the end, right?
Now we need to think: How can you possibly claim such a thing? You can't
make a blanket statement that every piece of email that goes through a
server is for a domain. That isn't even true at Amazon. So SPF is out.
You can mark the message with a digital signature only you can make. That
would be PGP, GPG, or S/MIME. Domain Keys may also work for this purpose.
But now you have the problem of all the receivers checking for it. You want
some way of telling people, "Hey, if my mail isn't marked, then don't
accept it because it isn't mine." This would be a new protocol and system,
with new and different software.
Another option is to defend your name. When someone joe-jobs you via the
Verizon network, you can track down the offender. Hopefully Verizon will
cooperate with you in this kind of case. It won't be too hard to track them
down because Verizon will be trying to hold their customers accountable for
bad practices anyway. But maybe Verizon is pinklisting the spammer
(collecting money for the ability to behave badly) and they won't help you.
A third option is to move out of Verizon and to some other email host. They
may set it up so that your mail goes through one or two servers and no one
else uses those servers. Sure, it costs more money, but it is a
possibility.
Other than that, I am out of ideas.
The bottom line is what you want to do is something beyond what SPF and
MARID is trying to do.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA3JvqBFeYcclU5Q0RAhASAJ90OLvOJiaEgrGp/9j57DjqKoLCkwCfVgJT
x70I0jYkIvvnSBcClDUdJsw=
=drE/
-----END PGP SIGNATURE-----