-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 21 July 2004 11:48 am, Michel Bouissou wrote:
If you are willing to use a "SPF pass" only for servers that are 100%
percent under the strict control of the sender domain, then the bad news
is that a very, very small percentage of Internet email will ever get an
SPF pass.
No, I am saying use SPF PASS only for *trusted* sending MTAs. Trusted means
you trust them (obviously).
If I am a small company, and I have an ISP, I obviously trust my ISP. So I
will list them as my legitimate sending MTA. If I can't trust my own ISP, I
have more serious problems than sending email!
If I am a larger company, and I host my own mail servers, I obviously trust
them, so I will list them as my legitimate sending MTAs.
If I contract out my mailing capabilities to a third party I trust, I will
list their sending MTAs as legitimate. If I don't trust them, why would I
use them?
And then SPF will miss its goal.
No, it will still have the part you claim is most valuable: '-', even if the
SPF PASS doesn't mean the sending MTA is legitimate.
I believe it hasn't been designed in the first place to give positive
asurance that messages coming from big.corporation.com are good.
No, it hasn't. No one is saying it is.
We aren't trying to determine if something is spam or not. We are
introducing responsibility into the email system, something that is not
there now.
It has been designed to help determine what is legitimate and what is not
in the vast majority of the cases, and this is achieved by setting a "+"
for servers that usually send legitimate from your domain. That's all.
So you agree with me then, except you have this little part "vast majority
of cases". How much is vast? 75%? 90% 99%? 99.999999......% (=100%)?
If it isn't a legitimate sender (but not an illegitimate one either),
then publish it with '?'. That conveys what you want: This server
sometimes sends legitimate mail, but sometimes it doesn't. I can't tell
you definitively at this time - you'll need to do some more checking on
the individual messages.
No. "?" Means "I don't know. Possibly legitimate, possibly not".
"+" is used for "this server is expected to send a vast majority of
legitimate mail claiming to be from me. However it cannot be assured that
it will not be exploited someday or the other".
Read the spec. It says PASS is LEGITIMATE. Not mostly legitimate, not
partially legitimate, but LEGITIMATE. The newer specs talk about
permission.
Otherwise, there will be no way for a company like Amazon to say "These
servers ARE legitimate, and ONLY send legitimate mail. Do no further
investigation into their legitimacy."
There are ways, but SPF is not the way for that. SPF has not been
designed for that.
It you want a guarantee "this is legitimate mail", what you need is s
strong end-to-end authentication scheme, not SPF.
What more can you authenticate? We tell people right now "These servers send
Amazon mail." We tell them based on IP address or DNS name. We do it
without SPF. (In fact, we use email and telephone calls to do it. It takes
a lot of time and has some problems.)
If SPF doesn't provide this ability, we will have to keep on telling people
that. After all, they really want to know so that they can expedite the
processing of our millions of messages.
If you can't trust IAP, then don't list them as a legitimate server!
Why would you tell me to trust them if you don't even trust them?
;-)
Don't mock this statement. This is the core kernel of truth.
I ask again, if you can't trust a sending MTA, why do you tell me to trust
it?
Here is the logical conclusion.
If you publish untrusted senders in '+', then you will be sending
illegitimate email out as yourself, telling people to trust it. Your
reputation will suffer. Your email will be subjected to more earnest checks
(like Bayesian filters). You will be blacklisted. You will have no one to
blame but yourself for the logical conclusion.
Instead, if you publish untrusted, but sometimes legitimate senders as '?',
we won't hold your domain responsible. We will subject the mail to more
earnest checks, but we will not attribute spam to your domain.
So I ask again, why tell me to trust sending MTAs you yourself don't trust?
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA/st5BFeYcclU5Q0RAmSGAKCzbbMl385DEklVyfcjXEheP1ZRvwCgl27O
S3daWWZsS5gh5EhO5nvpFiQ=
=J5BC
-----END PGP SIGNATURE-----