-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 21 July 2004 12:44 pm, Michel Bouissou wrote:
Le mercredi 21 Juillet 2004 20:52, terry(_at_)ashtonwoodshomes(_dot_)com a
écrit :
If I am correct, then even an SPF pass does not prove the email to be
legitimate or from the owner of the domain.
You are correct, because an "SPF pass" is not meant to *prove* that an
email is "legitimate from the owner of the domain". It is only meant to
prove that this server is explictly authorized to send this domain's
email -- and not ONLY this domain's email, and not 100% non-forged email.
These 2 last assumptions would be your own interpretation.
In that case, having no SPF record is equivalent to having one of '+all',
because currently, your email can be sent from any server.
But it's not. Having no SPF records is (mostly) equivalent to '?all',
meaning email MAY be sent from any server, but you aren't saying that it is
or isn't.
Explain to me again how a legitimate server sending email that is
illegitimate is not your responsibility. If you can't trust the machine,
why are you telling me to trust the machine?
Let's come back to the sources. When I started using SPF and published my
first record, I first read the documentation available from the SPF
website (obviously), the played a little with the "record creation
wizard", then created records by hand.
All the literature there states things like "List servers that normally
send mail from your domain".
AKA, servers you authorize to send email for you, obviously, because you are
sending email through them right now.
It never, nowhere states neither that these servers should send *only*
mail from your domain, nor that you have full administrative control over
them, nor that a forged mail should never be able to pass thru them, nor
that you actually commit in taking liability for all email coming thru
these servers that claim to be "from you" or from another user of your
domain.
That's not what '+' means. You don't have to have administrative control of
a machine to trust it. You can trust the people that do have administrative
control, or trust the people who trust the people etc....
Also, it is quite possible to have mail coming from two or more domains from
the same machine. However, mail coming from different domains should claim
to be from different domains. What SPF checks is (a) where does the email
claim to come from? (b) Do those people allow or disallow this server to
send email for them?
If you tell me that a server is allowed to send email for your domain, then
you take responsibility for email that server sends for your domain!
These extensions about "responsibility", "liability" or "accountability"
are pure extrapolations in the mind of people thinking that SPF should
mean more than what it does actually mean.
No, it is logical and irrefutable. Answer the questions from my first post
and you will see why. No one who opposes me have dared to clarify their
position beyond asserting that legitimate is not legitimate.
You too are falling in that same trap. You are trying to tell me to trust
servers you can't trust yourself.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA/s7hBFeYcclU5Q0RAjChAJ9PSwyaxdvZjFtmkgMviy1T+bUeOgCgl2M1
deNZthwbq4gDTRhACOzcP9I=
=lsGC
-----END PGP SIGNATURE-----