On Wed, 21 Jul 2004, Michel Bouissou wrote:
It never, nowhere states neither that these servers should send *only* mail
from your domain, nor that you have full administrative control over them,
No one is saying the server sends mail *only* for your domain. Only that
you have taken reasonable steps to ensure that mail from that machine
does not *forge* your domain. I.e., you take responsibility for mail
from that machine. This is implicit, but very clear to me when I
used the wizard.
nor that a forged mail should never be able to pass thru them, nor that you
actually commit in taking liability for all email coming thru these servers
that claim to be "from you" or from another user of your domain.
I understood it to mean that I had made a best effort to ensure what you
just said. I was not thinking about legal liability in case I screwed
up, and I didn't see anything about legal liability. My SPF record just
says, "these are the machines I have done my best to ensure only send
authorized mail from this domain". All of us make mistakes, and I would
expect failures in carrying out the required security, configuration, etc,
to tarnish the domains reputation, and my reputation. If publishing
an SPF record means I might be put in jail if one my servers gets hacked,
then maybe I'll want to remove it. Can anyone clarify this?
These extensions about "responsibility", "liability" or "accountability" are
pure extrapolations in the mind of people thinking that SPF should mean more
than what it does actually mean.
If you are correct, then the only meaningful SPF result would be FAIL.
The others are functionally equivalent if '+' means "may or may not
be legit" just like '?'.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.