-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michel Bouissou wrote:
| Le mercredi 21 Juillet 2004 19:17, Jonathan Gardner a écrit :
|
|>>Nowhere does it say that any SPF "pass" result means that the sending
|>>domain accepts responsibility for email in a complete and legally-binding
|>>way. In fact I would go as far as to wager that if it did say something
|>>like that then the number of domains publishing SPF would shrink
|>>significantly and the technology would never actually take off.
|>
|>Here again, it supports my argument. If I permit email to be sent in my
|>name, I am claiming responsibility for it.
|
|
| Nope.
|
| "SPF pass" doesn't mean in any way "All the mail coming from that
server and
| claiming to be from me is actually from me".
|
On the contrary, that is _exactly_ what it means.
If you cannot make that statement with the same level of confidence
that you can "material published on my website actually comes from me",
then you shouldn't use +serverIdentifier.
| "SPF pass" means "This server is a legitimate and usual sender of e-mail
| coming from my domain". That's all. And that's already nice, as an
"SPF fail"
| will then mean "This e-mail comes from an unauthorized server and
should be
| discarded as it most probably forges its origin".
|
| SPF is not (and I believe it wasn't meant to be, in the first place) a
means
| for assuring at 100% that a given message bears a true origin or a forged
| one.
|
How close do you need it to be before you can accept responsibility?
| SPF is meant to help detect most forgeries easier in the vast majority of
| cases.
|
| Suppose "my-little-domain.com" relays its outgoing mail thru its IAP's
server.
| Then it will be logical for "my-little-domain.com" to configure their SPF
| record as to state that their IAP's server is a legitimate sender of mail
| from their domain.
|
| But that in no way means that EVERY mail sent by others thru this
IAP's server
| actually comes from "my-little-domain.com". Some could be forgeries
made by
| customers of the same IAP.
|
In this case "my-little-domain.com" should not have any PASS entries in
their SPF record, as they cannot assert positive control over the
primary source of their e-mails. It is really as simple as that.
They _can_, however assert that any e-mail _not_ from their ISP's
servers is forged, so they get FAIL protection, which is a lot
better than they can expect without SPF.
- --
Daniel Taylor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFA/rGL8/QSptFdBtURAsRyAJ9ZBsiym49GS39mJakbYzvIWVUf6wCfamtP
sb6yyD3AS7m66elqaz3mLiY=
=DqPe
-----END PGP SIGNATURE-----