spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Unified SPF and "layers" & draft-ietf-marid-rationale-00.txt

2004-06-28 16:59:38
from [Greg Connor] [Permanent Link] 
On Mon, 28 Jun 2004, Matthew Elvey wrote:

This is a job for sysadmins:

 A - the New Email should be fully transparent to the end-user and
     require no reconfiguration.

 B - no disagreement!


Only Unified SPF has no disagreement.  Sender ID strongly disagrees (for 
now; it's being changed, I think, based on Meng's recent post). It  (for 
now) mandates end-user reconfiguration on a massive scale, because, 
IIRC, it doesn't say that HELO checking should/must be done.  Hence I 
(of elvey.com) would have to get all my domain's end users to use MSAs 
that I (as DNS admin of elvey.com) knew about.  For fastmail.fm, my 
email provider, who hosts mail for thousands of domains for many of 
which they don't do DNS, they would have to support this for each user 
of each domain!)  If HELO checking is mandatory, they just send HELO 
fastmail.fm, and ensure that fastmail.fm has a good reputation.  No 
support headache.



I doubt that a HELO check by itself would be enough for most applications. If 
HELO is not protected by SPF, you have to continue on to check either 
return-path or PRA.  If HELO passes, but the reputation is not squeaky-clean 
or whitelisted, you would still want to proceed to the next check.

There will probably be plenty of MTAs that pass HELO check but produce 
questionable mail.  Such as, any outgoing mailer at big ISP (comcast, charter, 
etc)  (See Shared MTA thread...)

I believe HELO checking will get the obvious failures (HELO using my own name 
for one) and the obvious white entries (trusted forwarder, etc), but I think 
the vast majority of forged/not-forged decisions in 2005 will be made by 
checking PRA.


But. Your point is that this involves problems for regular users.  Perhaps a 
few, but smart sysadmins will be able to handle this.  Most of them will set 
up SMTP AUTH and then send instructions to their users as to where their SMTP 
AUTH server is and how to set their settings.  (Usually there is a set of 
instructions already, they just need to alter it).

If "regular user" can include domain owners, then the ISP doing the technical 
things for them has the same challenge as the sysadmins at a large company - 
notify the users, then make the DNS change.

--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org

Everyone says that having power is a great responsibility.  This is a lot
of bunk.  Responsibility is when someone can blame you if something goes
wrong.  When you have power you are surrounded by people whose job it is
to take the blame for your mistakes.  If they're smart, that is. 
                -- Cerebus, "On Governing"
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Use of SPF with Shared MTAs (was Possible New Mechanism Prefix), Mark Shewmaker
Next by Date:  Re: Windows program to check spf records, Thomas Harold
Previous by Thread:  Unified SPF and "layers" & draft-ietf-marid-rationale-00.txt, Matthew Elvey
Next by Thread:  Unified SPF: example with single domain, multiple machines, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]