Jonathan Gardner wrote:
I'd like to summarize the arguments about SPF and responsibility.
My core argument is that by publishing SPF records, you assume
responsibility for email sent with and SPF PASS result for your domain.
Others argue that the internet isn't securable, that people are stupid, and
so they can't be held responsible. I say these are irrelevant.
I have a few questions for them. This should expose exactly where they
believe responsibility starts and stops.
Hypothetical question: There are two companies, let's say neverspams.com and
sometimesspams.com. Both companies send a large amount of email. Both
publish SPF records.
In ten years of operation, NeverSpams never ever sends a single spam or
viruses with email that has SPF PASS. That's literally billions of emails
with SPF PASS, and exactly 0 spam or viruses. All are legitimate, solicited
email.
In ten years of operation, SometimesSpams occasionally sends spam or viruses
with email that has SPF PASS. The total number of spam or viruses sent with
SPF PASS among the total amount of email sent with SPF PASS is less than
1%, but still some. That's literally billions of pieces of mail sent with
SPF PASS, with only tens of millions of spams sent with SPF PASS.
Would you accept NeverSpams email with SPF PASS without further checks?
Would you accept SometimesSpams email with SPF PASS without further checks?
Would your opinion of SometimesSpams change if SometimesSpams blamed its
problems on incompetent staff, lack of funding, geographical location, or
bad ISP? What if SometimesSpams is constantly being attacked and
compromised?
Would your opinion change if SometimesSpams was ignorant and unresponsive?
IE, they get attacked, but they don't recognize it, or they won't do
anything about it for weeks, or they ignore complaints about their
compromised servers.
Would your opinion change if SometimesSpams sent 10% spam? 50%? 99%? 100%?
Final Question:
Who is ultimately responsible for NeverSpams' and SometimesSpams's email
reputation (with email that has SPF PASS)?
My answers to your questions would be exactly the same if you completely
removed all mentions of SPF. Mail from SometimesSpams would not be welcome at
my server.
Now the SPF pass results would be strong evidence that I would use to convince
myself that SometimesSpams were in fact responsible for the spam sent in their
name, just like links back to/embedded images from their website in the spam
emails would be be strong evidence.
The point you originally made that I (still) take issue with is:
"When an email is sent using the domain name of an SPF publisher, you
can compare the server sending the mail and the published sending policy
of the sender. If it doesn't match, then the message is obviously forged
and can be discarded. If it does match, then the owner of the domain has
said that email coming from that server is email coming from him. He has
claimed responsibility."
Publishing an SPF record from a domain indicates where mail from that domain
may legitimately originate. That is the purpose of SPF. That is *not* the same
as saying that *any* mail from that source using that domain is legitimate and
that the sending domain is claiming responsibility for it. SPF is not
equivalent to a DNA test for spammers. It is more akin to a witness line-up.
It is evidence, but not strong enough to merit a conviction unless corroborated.
Remember that the original thread was entitled "SPF is not usable as legal
measure against spammers." The standard of proof required in a legal case is
considerably higher than one would apply to one's mail server filters I'd expect.
Paul.