-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Meng
Weng Wong
Sent: Wednesday, June 30, 2004 2:35 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] What does PASS really mean?
On Wed, Jun 30, 2004 at 12:52:40AM -0400, spf(_at_)kitterman(_dot_)com wrote:
|
| This just highlights my original point. People are confused
about this. If
| people are wrong (either way) innocents will get burned.
|
You are right. Accurate definitions are an important part
of setting expectations. Let's work on refining the
language in the draft and on the website so that people have
a clear idea of exactly what they're getting into.
I think the most important place to focus is on the Wizards. Looking at the
Pobox wizard, I would recommend the following changes to clear this up (this
is what I think would have worked for me and I was confused for a long
time):
There is currently a paragraph that says:
<P>Most domains send outbound mail through a relatively
small number of servers. Domains should describe that set
of servers in an SPF record in their DNS. Internet email
receivers can then reject forged messages which don't come
from an envelope sender domain's approved servers. This
wizard helps domain owners identify all the servers which
could be expected to send mail from their domain.</P>
I would change it to something like this:
<P>Most domains send outbound mail through a relatively
small number of servers. Domains should describe that set
of servers in an SPF record in their DNS. Internet email
receivers can then reject forged messages which don't come
from an envelope sender domain's approved servers. Internet
email receivers will also be able to report non-forged spam
messages in order blacklist spam domains. This wizard helps
domain owners identify all the servers which could be
expected to send mail from their domain.</P>
As far as the content of the wizard goes, I expect that a:, mx:, and ptr:
are OK as is. I would expect hosting companies to get those right (someone
correct me on that if I'm being optimistic). For each of the "other
servers" categories, I believe that changes are necessary.
Pretty much by definition these are going to be shared services (the ISP is
guaranteed to be shared). My recommendation is that the defaults in this
category be changed to ?a:, ?mx:, ?ip4:, and most especially ?include: and
that there be a question added for ?a:, ?mx:, ?ip4: that asks "Does this
server send e-mail only for authorized users of your domain" (default no).
If they change the answer to yes, then for the servers they answered yes
for, ?a:, ?mx:, ?ip4: would be changed to a:, mx:, or ip4:. Include: would
always be ?include:.
A more sophisticated second question might be to ask "Does this server allow
you to send e-mail from domains other than the one associated with your
account with this company?" Default would be yes and if they change this
one to no, then remove the ?'s as above. This covers the case where in
addition to doing some type of SMTP auth, the service provider locks down
the domains or addresses from which e-mail can be sent.
The defaults are important. Generally speaking if someone doesn't
understand the question, the won't change it from the default. These
defaults are conservative to avoid false positives. People who understand
things better can change from the defaults to get a tighter SPF record.
Then in the Explain section, text would have to be added.
I would recommend something for each modifier that ends up with a ? that
says something like:
?a:relay.example_host.com indicates that while relay.example_host.com is
permitted (authorized) to send e-mail for example.com, example.com cannot
vouch for the authenticity of all messages sent through
relay.example_host.com. There is some chance forged e-mail may come from
relay.example_host.com. SPF receivers should not blacklist example.com
based on spam sent through relay.example_host.com, but because example.com
cannot say with authority that e-mails sent through relay.example_host.com
are authentic, they may be subject to additional filtering and delivery
delays. SPF receivers should treat messages sent through
relay.example_host.com the same as if you had not published an SPF record.
In order to more fully enjoy the benefits of SPF, please see {insert link
here to detailed discussion}.
If you like that, I'll write up a static HTML page for the detailed
discussion.
Scott Kitterman