On Wed, 21 Jul 2004, Michel Bouissou wrote:
So you are saying that it is a legitimate sender of email, but the email
it sends may not be legitimate? That makes absolutely no sense.
Yes it does. It means "This server is a legitimate and usual sender of e-mail
coming from my domain". That's all, again.
It does in any way *NOT* mean that the server is under our strict
administrative control, is not shared with others, and that these others
could (possibly, but with little odds) forge e-mail headers.
Then it should be marked as '?'. If you know that it sometimes sends forged
mail and/or are unable to take reasonable steps to secure it, then marking it
with '+' is wrong (technically and ethically).
Listen to Jonathan. He has it right on this issue.
I wonder if my ideas about the difference between softfail and neutral
are shared by anyone else.
neutral means "I know what server you're talking about, but I can't
make any guarantees about the mail it sends whether PASS or FAIL."
softfail means "I am not sure whether that server is one of our legit
servers at the moment because we are in the process of changing things
around, or maybe we have a bunch of users running around sending mail
without SMTP AUTH or SMTPS or even a VPN."
It is a fact that most individuals and businesses send mail thru a gateway
which is not under *their strict* administrative control -- actually, if it
*is* under their strict administrative control, it's usually poorly
configured and secured MS stuff ;-).
Either servers are shared at hosting companies or IAPs, or companies
outsource
Taking responsibility doesn't imply competence. :-)
I am in the same situation for my vanity domain. I have a server
that I use to send mail, and that all members of the domain should
use as well. But various family members are on ISPs and don't know how to use
the proper mail profile configured for SMTP AUTH (remembering to
use port 525 since 25 is blocked is a problem as well). So the SPF record
looks like this:
v=spf1 mx:bmsi.com ?ptr:cox.net ?ptr:earthlink.net -all
If it comes from one of those ISPs, then I can't make any guarantees :-)
Lots of people send mail through those ISPs, and the ISP makes no attempt
at authentication.
If it comes from any other ISP, however, it is definitely a FAIL.
And if they use a correct mail profile, then they get a definite PASS.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.