You are correct in that the wording of the spec is misleading.
But the reality is:
spf fail equates to "this email is guaranteed not legit, because its coming
from a server not
authorized to send email on the sender domains behalf" (and of course that
guarantee is dependent
on proper configuration of servers, spf records, and proper spf implementation)
spf pass equates to "this email is potentially legit, because its coming from a
server that IS
authorized to send email on the sender domains behalf"
Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Mark
Shewmaker
Sent: Thursday, July 22, 2004 6:50 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF and Responsibility
On Thu, 2004-07-22 at 06:13, Michel Bouissou wrote:
No, no.
The "+" character, once again, does not mean that <<the sender is
willing to stand behind messages from his domain from this server,
putting his reputation on the line.>>
It doesn't mean either that the sender asks <<please trust
that mail from a
certain server>>
Actually the sender doesn't ask anything such as "please
trust..." and he
makes no assertion about a given message.
The sender domain *ONLY* asserts "this server is legitimate
for sending mail
coming from my domain". And not anything further than this.
There are two issues here: What should the spec try to say
(and imply),
and what does the spec actually say (and imply.)
Let's address them separately.
On what-should-the-spec-try-to-say:
As a recipient, I care whether a piece of mail is authentic.
I don't care whether the server is legitimate versus
possibly-legitimate if that bit of information doesn't
mean I can conclude that the mail is authentic.
If we were to take your interpretation of the current spec, PASS
wouldn't be useful as a more positive statement than NEUTRAL.
So, if what you say were true, what would be the purpose in having
a PASS result in the spec at all?
What good would it actually do in the real world, especially
compared to an alternative the-message-is-legitimate possibility?
If it had no useful purpose, (as I believe is the case with your
interpretation), I would say that we should change the spec so
it did, (such as the interpretation I claim is valid.)
So since you've claimed that PASS doesn't mean the message is
authentic, I'm curious if you think it *should* mean that?
On what-the-spec-does-say:
Quating from the latest marid draft:
http://www.imc.org/ietf-mxcomp/mail-archive/msg02719.html:
|5.2 Pass
|
| An SMTP server receiving this result SHOULD treat the message as
| authentic. It may accept or reject the message
depending on other
| policies.
There's nothing about server legitimacy mentioned there,
instead both
sentences refer to the incoming message itself.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com