spf-discuss
[Top] [All Lists]

Re: SPF and Responsibility

2004-07-22 01:05:24
On Thursday Mark wrote:
On Wed, 2004-07-21 at 22:31, David Beveridge wrote:
When you query SPF, and you get a Pass it means that this server is
allowed
to send mail.  It make no further claims other than that.

I disagree.

For one, your interpretation would mean a PASS result would be of little
use practical use to anyone:  It would mean that the only useful result
from the point of view of recipients would be "FAIL:  This message is
not authentic."

Pass isn't very useful as I see it, how does the SPF tell me whether the ISP
has setup their mail server as you've described.  Fail is by far the more
useful
response because we know it isn't authentic.

Look at the code in the postfix perl policy

  if    ($result eq "pass")  { return "DUNNO"; }
  elsif ($result eq "fail")  { return "REJECT " . ($smtp_comment ||
$header_comment); }
  elsif ($result eq "error") { return "450 temporary failure:
$smtp_comment"; }
  else                       { return "DUNNO"; }
  # unknown, softfail, neutral and none all return DUNNO

Under your interpretation, all the other results would boil down to "the
message might or might not be authentic", and so there'd be no point in
any sending domain bothering to describe servers with "+" versus "?".

I've got to say I like this idea, but the existing domains out there that
published spf already wouldn't conform to this.
A lot seems to have been removed from that latest memo such as the
description of the meaning of + - ~ and ?.
I thought that once we identified that the mail was coming from the correct
mail server then we could look up the ip address in a trust database to find
out the reputation of the server.  If the server belongs to a spammer it
will appear in an rbl somewhere pretty fast.

dave



<Prev in Thread] Current Thread [Next in Thread>