-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
Jonathan Gardner
Sent: Monday, June 28, 2004 2:32 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] (Not) Possible New Mechanism Prefix
On Saturday 26 June 2004 11:21 am, spf(_at_)kitterman(_dot_)com wrote:
Now, the latest mengwong spec says:
Pass (+): the message meets the publishing domain's definition of
legitimacy.
I read that to mean PASS==Not a forgery. Personally, I think being able
to say yes, this message is from a permitted sender would have
value, but
since I appear to be the only one, I'll move on.
Should we change the wording of this? I believe that SPF only ascertains
whether the domain allows email in its name to be transmitted via a
particular MTA server.
I propose:
Pass (+): The sending MTA is permitted to send email for the domain.
We may want to add that the domain may want to add additional
restrictions
to exactly what kind of messages are legitimate with other methods. This
may be better handled in a different section.
My major concern here is that there is clearly confusion over what PASS
means. If people on this list are confused, what are the odds that the
20,000 domains the are coming in the next few days will get it right?
You are absolutely correct.
If you look at the transcript of the latest MARID jabber session:
http://www.xmpp.org/ietf-logs/marid(_at_)ietf(_dot_)xmpp(_dot_)org/2004-06-28.html
I believe that Meng has a different view:
"[15:30:05] <mengwong> Under the SPF model, if a domain authorizes an MTA to
use its name in the HELO string, that is an implicit statement of
responsibility. I think if Jim Lyon were here he might say something like "I
submit that any statement of a relationship between a domain and an entity
in which the domain does not accept responsibility for its name being used
by that entity, is not a useful statement." It sounds to me like we're
talking at cross purposes; when we use the word "responsible" do we have the
same meanings in mind? I have in mind a kind of relationship where if the
message is spam the domain's reputation can justifiably suffer."
Now, here he's just talking about HELO checking, but I can't see as that
changes the fundamental meaning of PASS.
Myself I still don't see how SPF can say more than "This is a permitted
sender". I think it's increasingly clear that that is intended to mean more
than that. All debate about how e-mail provisioning for entities that don't
run their own MTA SHOULD work aside, the way they DO work today, many small
domain owners (such as myself) are at risk of false positives.
If we aren't going to change how SPF works or is specified, we need to make
the risks of sharing an MTA clear.
Scott K