spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SPF and Responsibility

2004-07-19 13:26:27
from [Jonathan Gardner] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to summarize the arguments about SPF and responsibility.

My core argument is that by publishing SPF records, you assume 
responsibility for email sent with and SPF PASS result for your domain.

Others argue that the internet isn't securable, that people are stupid, and 
so they can't be held responsible. I say these are irrelevant.

I have a few questions for them. This should expose exactly where they 
believe responsibility starts and stops.

Hypothetical question: There are two companies, let's say neverspams.com and 
sometimesspams.com. Both companies send a large amount of email. Both 
publish SPF records.

In ten years of operation, NeverSpams never ever sends a single spam or 
viruses with email that has SPF PASS. That's literally billions of emails 
with SPF PASS, and exactly 0 spam or viruses. All are legitimate, solicited 
email.

In ten years of operation, SometimesSpams occasionally sends spam or viruses 
with email that has SPF PASS. The total number of spam or viruses sent with 
SPF PASS among the total amount of email sent with SPF PASS is less than 
1%, but still some. That's literally billions of pieces of mail sent with 
SPF PASS, with only tens of millions of spams sent with SPF PASS.

Would you accept NeverSpams email with SPF PASS without further checks?

Would you accept SometimesSpams email with SPF PASS without further checks?

Would your opinion of SometimesSpams change if SometimesSpams blamed its 
problems on incompetent staff, lack of funding, geographical location, or 
bad ISP? What if SometimesSpams is constantly being attacked and 
compromised?

Would your opinion change if SometimesSpams was ignorant and unresponsive? 
IE, they get attacked, but they don't recognize it, or they won't do 
anything about it for weeks, or they ignore complaints about their 
compromised servers.

Would your opinion change if SometimesSpams sent 10% spam? 50%? 99%? 100%?

Final Question:

Who is ultimately responsible for NeverSpams' and SometimesSpams's email 
reputation (with email that has SPF PASS)?

- -- 
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA/C5zBFeYcclU5Q0RAtMCAJ97hHzNNEGPlK2Uv05P06L9onfpBACfaCjz
TsY5NqveHQjXOmhpNLVc5y4=
=UdiQ
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF is not usable as legal measure against spammers., Jonathan Gardner
Next by Date:  Licensing Issue, John Glube
Previous by Thread:  Re: PTR lookups in SPF, administrator
Next by Thread:  Re: SPF and Responsibility, Paul Howarth
Indexes:  [Date] [Thread] [Top] [All Lists]