-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 29 June 2004 08:18 am, spf(_at_)kitterman(_dot_)com wrote:
I believe that Meng has a different view:
"[15:30:05] <mengwong> Under the SPF model, if a domain authorizes an MTA
to use its name in the HELO string, that is an implicit statement of
responsibility. I think if Jim Lyon were here he might say something like
"I submit that any statement of a relationship between a domain and an
entity in which the domain does not accept responsibility for its name
being used by that entity, is not a useful statement." It sounds to me
like we're talking at cross purposes; when we use the word "responsible"
do we have the same meanings in mind? I have in mind a kind of
relationship where if the message is spam the domain's reputation can
justifiably suffer."
Now, here he's just talking about HELO checking, but I can't see as that
changes the fundamental meaning of PASS.
Myself I still don't see how SPF can say more than "This is a permitted
sender". I think it's increasingly clear that that is intended to mean
more than that. All debate about how e-mail provisioning for entities
that don't run their own MTA SHOULD work aside, the way they DO work
today, many small domain owners (such as myself) are at risk of false
positives.
If we aren't going to change how SPF works or is specified, we need to
make the risks of sharing an MTA clear.
I see your point very clearly now. It sounds like Meng and others really do
want an SPF PASS to mean the message is authentic, not just the MTA being
an authorized server. I'll bring this up in a seperate thread so it will
get more attention.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA4aO+BFeYcclU5Q0RAvQKAJwKB3STCOkpYmLQyNRrzclj8pZQcQCeM75L
eo9WakCPbJwW3ASaqwICLLk=
=rIrv
-----END PGP SIGNATURE-----