On Wed, 21 Jul 2004, Mark Shewmaker wrote:
In my mind there's simply little point to a standard in which a sender
can only either make negative claims of legitimacy or useless claims of
legitimacy.
So, do you think the spec and accompanying documentation *should* say
what you think it *does* say?
I think that publishing an SPF record should be like signing a statement
at the end of a form that says, "everything on this form is true and correct to
the best of my knowledge".
When you designate a server as '+', you are saying, "to the best of my
knowledge and ability, this server will never send forged email from this
domain."
When you designate a server as '-', you are saying, "to the best of my
knowledge and ability, this server will never send legitimate email
from this domain."
If you get hacked or make a mistake, then any prosecution should have to
show that you *knowingly* lied about hackedrelay.bigcompany.com,
(e.g. you are the sysadmin for bigcompany and a spammer paid you to give them
a backdoor.)
Repeated mistakes should result in a dismal reputation (e.g. Microsoft),
not legal liability.
What do I think the spec *does* say? I did not even think about any
legal aspect. I thought that by publishing and SPF record, I was promising
that it was "true to the best of my knowledge".
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.