spf-discuss
[Top] [All Lists]

RE: (Not) Possible New Mechanism Prefix

2004-06-26 11:21:53
OK.  I give.

First I said, since PASS=Permitted sender (i.e. PASS!=Not a forgery) those
organizations that run their own MTA and can confidently assert the if it's
a permitted sender it is not forged might want to do that (I called it
authoritative pass).  The answer I got was that PASS already means not a
forgery.

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Meng 
Weng Wong
Sent: Thursday, June 24, 2004 10:40 AM
snip
| It seems to me that there is another level better than pass
that we might
| want to assert.  Pass means the sender is permitted.
"Authoritative Pass"
| (my term for the next level) would mean that the MTA is
permitted and the
| domain owner will take responsibility for any e-mails from that
MTA, because
| only authorized domain users can send e-mail from that MTA.
snip
I am not clear about what the functional difference is
between an authoritative pass and the regular pass.

and

[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Mark 
Shewmaker
Sent: Thursday, June 24, 2004 4:48 PM
snip
On Thu, 2004-06-24 at 16:05, spf(_at_)kitterman(_dot_)com wrote:

I'm actually reasonably
comfortable with at least some of my neighbors.  As long as
people remember
that SPF Pass != not a forgery, then I should be OK.

Putting aside arguments over what's being authenticated, return-path or
PRA, part of the whole point of spf is to allow receivers to presume
that "SPF Pass==not a forgery".

If I get an spf-pass email from your business, I'm going to assume your
business is associated with the email, similar to the way that if when I
telephone your business, I'll assume that anyone who answers the phone
to be associated with your business (and able to speak for it.)


So then I said to myself, clearly I didn't understand.  SPF PASS==Not a
forgery, so I better make sure that I add a bunch of question marks to my
SPF records so I don't get falsely accused of sending spam.

I sent out an alternative that said, since SPF PASS==Not a forgery, it might
be nice for those of us using shared MTAs to be able to say, yes, that
message is from a permitted sender, but because it is a shared resource I
can't promise that I sent the message.  I called this a PERMITTED result.

Now at this point, I'm pretty confident that I've got it right.  The only
two possible meanings for PASS are PASS==Not a forgery or PASS==This is a
permitted sender.  Then I get:

[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Jon 
Kyme
Sent: Friday, June 25, 2004 1:27 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Possible New Mechanism Prefix

So, now we add "Permitted".

     Permitted (>): the message was sent from a sender permitted by the
domain.  MTAs
     proceed to apply local policy and MAY accept or reject the message
accordingly.


Surely that's what 'pass' already means.

and

[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of 
Jonathan Gardner
Sent: Friday, June 25, 2004 5:41 PM
snip
Scott,

I'm sure that Meng may have touched on some of the things I am
going to say,
but I don't think you quite understood the essence. The bottom
line is that
what you want to do is beyond what SPF is trying to do.

SPF is only trying to answer the question: Do legitimate emails for this
domain come from this server? That's a bit different that the usual
wording: Is this server authenticated and authorized to send
email for this
domain? But you'll note that the two statements are essentially the same.

So now I am certain I am really confused and also that I am not the only
one.

In the responses I got two strong votes for SPF PASS==Not a forgery and I
got two strong votes for SPF PASS==This sender is permitted.  One of each of
those from senior people who've been involved in SPF a lot longer than I
have.

Now, the latest mengwong spec says:

     Pass (+): the message meets the publishing domain's definition of
     legitimacy.

I read that to mean PASS==Not a forgery.  Personally, I think being able to
say yes, this message is from a permitted sender would have value, but since
I appear to be the only one, I'll move on.

My major concern here is that there is clearly confusion over what PASS
means.  If people on this list are confused, what are the odds that the
20,000 domains the are coming in the next few days will get it right?

If you control your MTA, use PASS all you want.  If you use a shared MTA
that allows users to set Mail From independently of how they are logged in
(most ISPs) then be careful.

I'd like to see this clearly explained on the SPF web site and options added
to the wizards to ask people if the MTA is shared (I can do HTML, I'd be
willing to help).  I am deeply concerned that SPF record publishers who
shouldn't assert pass are going to do so (If PASS==Not a forgery) or SPF
receivers are going to falsely accuse SPF record publishers of spamming (If
PASS==Sender is permitted).  Either way, there are going to be false
accusations of spamming against legitimate domain owners that they wouldn't
have gotten if they hadn't published SPF records.

Sorry for the long rant, but this concerns me.

Scott Kitterman