-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
Jonathan Gardner
Sent: Wednesday, June 30, 2004 2:46 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] What does PASS really mean?
On Wednesday 30 June 2004 07:43 am, spf(_at_)kitterman(_dot_)com wrote:
A more sophisticated second question might be to ask "Does this server
allow you to send e-mail from domains other than the one associated with
your account with this company?" Default would be yes and if
they change
this one to no, then remove the ?'s as above. This covers the
case where
in addition to doing some type of SMTP auth, the service provider locks
down the domains or addresses from which e-mail can be sent.
More like "Do you trust that these servers won't spoof your
domain?" It is
possible to securely configure an MTA so that it can be safely shared
without spoofing.
If you can't trust the server, then you shouldn't put it in '+'.
'?' may be
appropriate, or even '~'.
Agree. I was trying to ask the question in a specific way that could be
accurately answered by a small time domain owner who doesn't live and breath
e-mail stuff.
If I ask the question, "Do you trust the server..." that I think would evoke
a squishy kind of answer... Hey, Verizon (to continue from some of my
previous examples, still not picking on them) is a really big ISP. I'm sure
they know what they are doing. Yes, I trust them... Well, Verizon uses
SASL so only Verizon customers can use their SMTP, but once they are
authenticated, they can use whater domain for From:, Reply To:, etc. so the
answer should be YES (look in the headers to see where this message came
from).
By asking it the way I did, I was trying to get to the specifics of an
another authorized user of the server send mail that purports to be from
your domain. That has a very specific answer. To move on to another
example, my domain host (which I really like, even though their e-mail
support is a bit creaky) uses POP before SMTP. That means anything that
comes from the authorized IP can go out through SMTP (thus I put ? in the
record for their SMTP server). So I answer YES on their SMTP. But they
also have a web mail interface. Through that, you can only send out e-mail
where the From: is the same as the name/domain of the mail account you used
to log in. That one gets a + because I can answer NO.
You are right, trust is what we are after, but I'm trying to ask the
question in terms of the mechanics that would allow trust in order to
minimize the risk people will use + when they should use ? (thus also the
proposed defaults).
I stayed away from ~ because of all the traffic about that being at best a
transient and something to try and stay away from.
Scott Kitterman