spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF and Responsibility

2004-07-22 09:27:25
from [Stuart D. Gathman] [Permanent Link] 
On Thu, 22 Jul 2004, Michel Bouissou wrote:


I have a local SPF tree in DNS that my client's MTSa delegate to when
there is no SPF record.  This allows me to "whitelist" broken servers
for my clients in a much more flexible way that simply "accept all mail
from this domain".


How do you actually do that ? A standard SPF implementation wouldn't do that 
as far as I know, to fallback to another domain when the sending domain has 
no SPF record.


Looks up sender-domain.com._spf.delegate-domain.com

My client and I use Python milter (for which I need to get out a new release
to handle CID, i.e. hotmail.com):

http://bmsi.com/python/milter.html


In SPF, it is the sender's domain that states which servers it uses. The SPF 
record is under _their_ control and not under the control of the recipient 
MTA (although the recipient MTA is free to make any decision it wishes with 
the information it gets from SPF, based on local policy).


Yeah.  Yeah.  The problem is that the sender is too clueless to have
a reverse IP or send from an MX, or even have a valid HELO name, much less
actually publish an SPF record.  My "ghost" SPF system, as you call it,
lets me do what their sysadmin should have done as far as it affects
my clients.  I could see something like RBLs springing up - sites that
maintain ghost SPF records for clueless but important senders.  Of course,
this lessens the motivation to fix their problem - but only if they like
leaving their email reputation in the hands of optional data maintained
by 3rd party volunteers.

There are only a half dozen domains in my ghost SPF system so far, most
sites work ok with my SPF default: "v=spf1 a/24 mx/24 ptr ?all".  The 
delegation system is just an elaboration on the default SPF record.


But modifying the implementation in such a way that a "ghost" SPF record is 
gotten from recipient's servers when the sending domain's server doesn't have 
any, is IMHO somehing else that we cannot really call SPF anymore, even 
though the protocol used is basically the same.


It's just like when someone is mentally incompetent, and someone else has
to take responsibility for them.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF and Responsibility, Michel Bouissou
Next by Date:  Re: Digest 1.389 for spf-discuss, Jesse Gordon
Previous by Thread:  Re: SPF and Responsibility, Michel Bouissou
Next by Thread:  RE: SPF and Responsibility, terry
Indexes:  [Date] [Thread] [Top] [All Lists]