spf-discuss
[Top] [All Lists]

Re: SPF and Responsibility

2004-07-21 20:19:41
On Wed, 2004-07-21 at 22:31, David Beveridge wrote:
On Thursday Mark Wrote

Let's say I have an awful ISP, and that I don't want to deal with
keeping up a mailserver myself, so I go to a reputable email service
provider to handle my domains email.

I believe that they don't allow cross-customer forgeries, (perhaps I've
tested this), I trust their security setup, and I've set things up with
them so that they don't allow other people to send mail purporting to be
from my domain.

This may be true for you, but not all ISPs have their servers set up in this
way and I suspect that many don't.

The specific example I gave, which you quoted, assumed that the person
in question had an awful ISP for local access to the net.

(I guess I should have been more explicit about the example ISP allowing
forgeries on their mail servers.)

What would prevent me from being able to use Stuart's wording and
honestly say, "to the best of my knowledge and ability, this server
will never send forged email from this domain"?

Nothing, except we're talking about what the + means in the specification
not your specific case.

Nah, we're talking about both.

You had just said a little while ago that no one can make that sort of 
"to the best of my knowledge" type claim, "unless it's your own mail
server", implying that you can make the claim for servers you own, and
not for servers you don't.

Whether a person can honestly state that claim is a separate issue from
whether spf lets him do it.  Of course I claim both that you can make
that claim, and that spf should and does let you make it.  :-)

When you query SPF, and you get a Pass it means that this server is allowed
to send mail.  It make no further claims other than that.

I disagree.

For one, your interpretation would mean a PASS result would be of little
use practical use to anyone:  It would mean that the only useful result
from the point of view of recipients would be "FAIL:  This message is
not authentic."

Under your interpretation, all the other results would boil down to "the
message might or might not be authentic", and so there'd be no point in
any sending domain bothering to describe servers with "+" versus "?".  

They might as well be telling me their servers are painted green for all
the use it would do me as a recipient.

Given that it's so useless, it *can't* be the intended meaning. 
(Fortunately, these aren't laws and government regulations, so we can
say that. :-) )

Fortunately, the wording for what to do in the case of a PASS result is
even more clear in the latest marid core draft.  Looking at
http://www.imc.org/ietf-mxcomp/mail-archive/msg02719.html:

|5.2  Pass
|
|   An SMTP server receiving this result SHOULD treat the message as
|   authentic.  It may accept or reject the message depending on other
|   policies.

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>