On Thursday Mark Wrote
On Wed, 2004-07-21 at 18:02, David Beveridge wrote:
On Thursday Stuart wrote:
When you designate a server as '+', you are saying, "to the best of my
knowledge and ability, this server will never send forged email from
this
domain."
Unless it's your own mail server you cannot say this. The plus means
that
your mail comes from this server. It does not mean that all mail coming
from the server is from you.
I don't understand. Why can't I make this claim for servers I don't
own?
(I'm assuming that in the above you meant to say something like "It does
not mean that all mail coming from the server _and purporting to be from
you_ is from you", since obviously a reputable shared server will also
be sending non-forged mail from other domains too. :-) )
Let's say I have an awful ISP, and that I don't want to deal with
keeping up a mailserver myself, so I go to a reputable email service
provider to handle my domains email.
I believe that they don't allow cross-customer forgeries, (perhaps I've
tested this), I trust their security setup, and I've set things up with
them so that they don't allow other people to send mail purporting to be
from my domain.
This may be true for you, but not all ISPs have their servers set up in this
way and I suspect that many don't.
What would prevent me from being able to use Stuart's wording and
honestly say, "to the best of my knowledge and ability, this server will
never send forged email from this domain"?
Nothing, except we're talking about what the + means in the specification
not your specific case.
Also note that if there is no symbol it is taken a + eg "v=spf1 a mx -all"
The possible prefixes, and the results they return are:
"+" Pass
"-" Fail
"~" SoftFail
"?" Neutral
When you query SPF, and you get a Pass it means that this server is allowed
to send mail. It make no further claims other than that.
dave