spf-discuss
[Top] [All Lists]

Re: SPF and Responsibility

2004-07-22 11:36:44
On Thu, 22 Jul 2004 11:14:14 -0700, Jonathan Gardner
<jonagard(_at_)amazon(_dot_)com> wrote:
The sender domain *ONLY* asserts "this server is legitimate for sending
mail coming from my domain". And not anything further than this.

The SPF record makes a statement about a server "it is legitimate for
this domain". It does not make any statement about a given message.

Again, if a sending server is legitimate, why would the messages it sends be
illegitimate?

You told me that it was a legitimate server. But now you are telling me it
doesn't send legitimate mail. Which one is it? Make up your mind!

I've pretty much made up my mind. No one has given any arguments to
contradict my assertions. If you cannot trust a server to send legitimate
mail only, do not tell me to trust it. List is as '?', but don't list it as
'+'.

It seems to me that some are confusing things a little.  In my mind,
all SPF asserts is that a set of IP addresses is legitimate for a
domain.  Given the IP address of a connected SMTP client, an SPF
record makes an assertion as to the legitimacy of the server at that
IP address to send messages with an envelope from (and potentially
other uses) of that domain.

We may prefer for an SPF record to make an assertion about the
legitimacy of the messages sent through the legitimate server and to a
degree it does, but an SPF record does not, in my opinion, make any
assertions as to why that legitimate server is sending the message or
how the message got to the legitimate server to be relayed.

If an illegitimate message comes from a legitimate server, that's not
a flaw of SPF, because SPF doesn't make any claims about the messages,
only the server.  There is no certification process required for a
domain owner to make an assertion about whether or not a particular
server IP address is legitimate for their domain and I think that's
why reputation systems are talked about as one of the next steps after
SPF.

The domain owner of isendspam.com can designate a server IP address as
legitimate for isendpsam.com in a SPF compliant TXT record in the DNS
associated with the isendspam.com domain name.  Messages from that
server are legitimate for isendspam.com and are completely consistent
with SPF, even if the recipients of every message sent through that
server consider all of those messages to be spam.

SPF asserts legitimacy of a server IP address as it relates to a
domain.  It does not make any assertions concerning the desirability
of the messages using that domain and sent through that server.  That
desirability problem is still on the to do list of the electonic mail
community.

-- 
David R. Sowder
University of Texas at Arlington
Department of Modern Languages
Language Acquisition Center Supervisor
Work: davids(_at_)uta(_dot_)edu
Personal: david(_at_)sowder(_dot_)com
Testing: davidrsowder(_at_)gmail(_dot_)com
http://david.sowder.com/


<Prev in Thread] Current Thread [Next in Thread>