Re: SPF and Responsibility

Michel Bouissou wrote:

Le jeudi 22 Juillet 2004 11:31, Mark Shewmaker a écrit :
Uhm, err, with the "+" character, which tells you that the sender is
willing to stand behind messages from his domain from this server,
putting his reputation on the line.
[...]
For a sender to tell recipients to please trust that mail from a certain
server (claiming to come from his domain) really is from his domain,
means the sender has to trust that that is true too.  (To misquote
Jonathan's wording.)
No, no.

The "+" character, once again, does not mean that <<the sender is
willing to stand behind messages from his domain from this server,
putting his reputation on the line.>>
It doesn't mean either that the sender asks <<please trust that mail from acertain server>>
Actually the sender doesn't ask anything such as "please trust..." and hemakes no assertion about a given message.
The sender domain *ONLY* asserts "this server is legitimate for sending mailcoming from my domain". And not anything further than this.
The SPF record makes a statement about a server "it is legitimate for thisdomain". It does not make any statement about a given message.

Really.
Any given web page you receive from my server is expected to be from me.
If I say that a mail server is "authorized" (SPF PASS) to send e-mail
for me and you receive e-mail claiming to be from me from that server
it is implied (quite strongly) that it is a message from me in the same way.

If I do not _trust_ that the mail server will prevent other people from
using it and claiming to be me, I would be a FOOL to declare it an
"authorized server" in that sense. To do so would enable third parties
to damage my reputation. This is the reason the NEUTRAL code exists.

With NEUTRAL I can declare "I might use this server, but I can't prevent
forgeries from it" and let the receiver do with the message what they
will. This at least allows me to protect my domain somewhat with FAIL,
and doesn't make any unsupportable claims about whether any particular
message is actually from me.

AOL uses ?all because they have _millions_ of customers who might send
aol.com e-mail from anywhere. Most private domains should use -all to
provide maximum protection of their domain, with ? entries for any
potentially valid but _untrusted_ sources.

--
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SPF and Responsibility, (continued) Re: SPF and Responsibility, Mark Shewmaker RE: SPF and Responsibility, terry RE: SPF and Responsibility, Mark Shewmaker RE: SPF and Responsibility, terry Re: SPF and Responsibility, Daniel Taylor RE: SPF and Responsibility, terry RE: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, Andriy G. Tereshchenko Re: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, Greg Wooledge Re: SPF and Responsibility, Daniel Taylor <= Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Stuart D. Gathman Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Stuart D. Gathman RE: SPF and Responsibility, terry