spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF and Responsibility

2004-07-21 02:39:19
from [Paul Howarth] [Permanent Link] 
Jonathan Gardner wrote:
That doesn't make any sense. A large part of my assertions relied on the fact that mail sent from the domains AND had an SPF PASS result. Without that, they are all meaningless.
Where you and I are disagreeing is about your assertion that an SPF "pass" result implies that the purported sender is accepting responsibility for the email. So let's forget the analagies and go back to the specs to see exactly what an SPF "pass" result actually means.
First all, let's consider the "classic SPF" spec. (http://spf.pobox.com/spf-draft-200406.txt): 

Section 3 of this spec. says:

     Pass (+): the message meets the publishing domain's definition of
     legitimacy.  MTAs proceed to apply local policy and MAY accept or
     reject the message accordingly.
Note that the definition of legitimacy here is that of the publishing domain, not of the receiver. So you can't make the assumption that just because the result is a pass guarantees that the original domain is sccepting full responsibility/liability for that mail. 

Section 1.2 of the spec. also mentions that:

   Designated sender schemes are weaker than cryptographic schemes but
   provide more assurance than the current SMTP model.
The language used in the newer MARID spec. (http://spf.pobox.com/draft-ietf-marid-protocol-00.txt) is even weaker: 

Section 3.2 specifies the results set:

      Neutral  (?):  published data is explicitly inconclusive
      Pass     (+):  the <ip> is in the permitted set
      Fail     (-):  the <ip> is in the not permitted set
      SoftFail (~):  the <ip> may be in the not permitted set

A "pass" indicates that an IP is *permitted* to send email for a domain.
Nowhere does it say that any SPF "pass" result means that the sending domain accepts responsibility for email in a complete and legally-binding way. In fact I would go as far as to wager that if it did say something like that then the number of domains publishing SPF would shrink significantly and the technology would never actually take off.
SPF gives you a good indication of whether or not mail is a forgery. But it's not foolproof. DomainKeys probably provides something more like what you're after. 

Paul.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MX -> TXT SPF widlcard records, Andriy G. Tereshchenko
Next by Date:  Re: MX -> TXT SPF widlcard records, Murthy Gorty
Previous by Thread:  Re: SPF and Responsibility, Jonathan Gardner
Next by Thread:  Re: SPF and Responsibility, Jonathan Gardner
Indexes:  [Date] [Thread] [Top] [All Lists]