On Fri, Jul 09, 2004 at 07:46:40PM -0500, Seth Goodman wrote:
|
| As far as I can see, these reputation systems are simply pipe dreams.
| They may come about and they may not. Right now, without the reputation
| systems, we are considering building a mechanism into SPF that allows a
| malicious party to override the published policy of the netblock owner.
| I respectfully suggest that is a poor idea.
actually, if public reputation services never appear, the
only overrides the algorithm will support are locally
hardcoded whitelists --- and the analogy with ssh is
appropriate. note the AND requirement for a positive
result:
from the unified doc:
For each tested identity, a result is obtained by running the
appropriate SPF test, and possibly also a reputation test:
A positive result is defined as one for which:
- the SPF test returns Pass,
AND - the reputation test returns a positive opinion of
the domain under test.
A negative result is defined as one for which:
- the SPF test returns Fail,
OR - the reputation test returns a negative opinion of
the domain under test.
A zero result is defined as any which is neither positive
or negative. This may be due to the lack of any published
SPF data, a processing error, or a reputation test that
yields no information.
Note that for SPF/PTR and SPF/HELO, a test result of Softfail is
treated as Fail, and so is grounds for a negative result.
A positive result from any identity overrides a negative result
from any other identity.
If, during evaluation, a positive result is obtained, a mail receiver
MAY choose to dispense with further checks and accept the mail.
If, during evaluation, a negative result is obtained,
a mail receiver MUST continue to test the other identities
it has chosen to test in search of a positive result.