Le mercredi 21 Juillet 2004 20:13, Jonathan Gardner a écrit :
"SPF pass" doesn't mean in any way "All the mail coming from that server
and claiming to be from me is actually from me".
"SPF pass" means "This server is a legitimate and usual sender of e-mail
coming from my domain". That's all. And that's already nice, as an "SPF
fail" will then mean "This e-mail comes from an unauthorized server and
should be discarded as it most probably forges its origin".
SPF is not (and I believe it wasn't meant to be, in the first place) a
means for assuring at 100% that a given message bears a true origin or a
forged one.
So you are saying that it is a legitimate sender of email, but the email
it sends may not be legitimate? That makes absolutely no sense.
Yes it does. It means "This server is a legitimate and usual sender of e-mail
coming from my domain". That's all, again.
It does in any way *NOT* mean that the server is under our strict
administrative control, is not shared with others, and that these others
could (possibly, but with little odds) forge e-mail headers.
It is a fact that most individuals and businesses send mail thru a gateway
which is not under *their strict* administrative control -- actually, if it
*is* under their strict administrative control, it's usually poorly
configured and secured MS stuff ;-).
Either servers are shared at hosting companies or IAPs, or companies outsource
some of their email technical infrastructure, and, if they CAN assert that a
given server "is a legitimate sender of mail from their domain", they CANNOT
assert that they have full administrative control over it and that no forged
mail will ever come thru it.
(But it forged mail DOES someday come thru it, the issue will be easier to
resolve, given that it surely comes from another customer of the same ISP,
hosting company or email outsourcing company. So there will be traceability,
and the abuse/complaints service will probably listen to their own customer
and take action. This is not the same as forged mail coming from a malevolent
server at the other end of the globe, or from virused/trojaned end-user
Windows machines anywhere, where you have quite little chances to ever get
your complaints read).
If you are willing to use a "SPF pass" only for servers that are 100% percent
under the strict control of the sender domain, then the bad news is that a
very, very small percentage of Internet email will ever get an SPF pass.
And then SPF will miss its goal.
I believe it hasn't been designed in the first place to give positive asurance
that messages coming from big.corporation.com are good.
It has been designed to help determine what is legitimate and what is not in
the vast majority of the cases, and this is achieved by setting a "+" for
servers that usually send legitimate from your domain. That's all.
If it isn't a legitimate sender (but not an illegitimate one either), then
publish it with '?'. That conveys what you want: This server sometimes
sends legitimate mail, but sometimes it doesn't. I can't tell you
definitively at this time - you'll need to do some more checking on the
individual messages.
No. "?" Means "I don't know. Possibly legitimate, possibly not".
"+" is used for "this server is expected to send a vast majority of legitimate
mail claiming to be from me. However it cannot be assured that it will not be
exploited someday or the other".
Otherwise, there will be no way for a company like Amazon to say "These
servers ARE legitimate, and ONLY send legitimate mail. Do no further
investigation into their legitimacy."
There are ways, but SPF is not the way for that. SPF has not been designed for
that.
It you want a guarantee "this is legitimate mail", what you need is s strong
end-to-end authentication scheme, not SPF.
If you can't trust IAP, then don't list them as a legitimate server! Why
would you tell me to trust them if you don't even trust them?
;-)
Better yet, if you can't trust IAP, don't use their services!
I wish life could really be *that* simple.
There are not 50 different available IAPs in any place of the world... Not
everybody lives in big cities. And even when they are several to choose from,
you cannot always be sure that going from X to Y will be any better.
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E