On Thu, 22 Jul 2004 16:40:50 -0400 (EDT), Stuart D. Gathman
<stuart(_at_)bmsi(_dot_)com> wrote:
On Thu, 22 Jul 2004, David Sowder wrote:
It seems to me that some are confusing things a little. In my mind,
all SPF asserts is that a set of IP addresses is legitimate for a
domain. Given the IP address of a connected SMTP client, an SPF
record makes an assertion as to the legitimacy of the server at that
IP address to send messages with an envelope from (and potentially
other uses) of that domain.
I think the word 'legitimate' is confusing things. In the context
of SPF it should mean 'the return path domain was not forged'. 'Legitimate'
messages from a SPF compliant spammer will be spam. SPFv1 is concerned with
stopping return path forgery - and that's it. So let's restate the
results using the word 'forged' intead of 'illegitimate'.
+ means messages from this server with this domain are never forged
- means messages from this server with this domain are always forged
? means messages from this server with this domain may or may not be forged
~ means messages from this server with this domain are most likely forged
Yes, except my point is that we only really know that this returned
path domain is not forged when coming from this server. We don't know
about the message body or anything else associated with the message
because SPFv1 doesn't make any assertions about those items.
SPFv1 doesn't assert anything about how the message got to that server
in the first place, which is why reputation systems are likely to get
involved once we have SPFv1 verifying that the return path domains of
our incoming messages. (We can then look at who is more likely to
allow what we would consider to be junk to get injected into their
outgoing mail queue).
--
David R. Sowder
University of Texas at Arlington
Department of Modern Languages
Language Acquisition Center Supervisor
Work: davids(_at_)uta(_dot_)edu
Personal: david(_at_)sowder(_dot_)com
Testing: davidrsowder(_at_)gmail(_dot_)com
http://david.sowder.com/