On Tue, 10 Aug 2004, Jonathan C. Detert wrote:
As you know, the mechanisms can be prefixed with 1 of 4 characters:
- : meaning, fail
~ : meaning, 'softfail'
+ : meaning, pass (the default)
? : meaning, 'neutral'
The meaning of fail and pass is obvious, but what do 'softfail' and
'neutral' mean? What will the MTA do if the result of the spf query is
'softfail'? What will the MTA do if the result is 'neutral' ?
softfail means "FAIL, but I'm new at this and testing, I might have
made a newbie mistake, so consider not rejecting my mail please".
neutral means don't know. SPF is three state logic. The usefulness
of the don't know state is best illustrated by some examples.
The SPF for my family domain is:
gathman.org text "v=spf1 mx:bmsi.com ?ptr:cox.net ?ptr:earthlink.net -all"
Ideally, everyone would send mail through the MX with SMTP AUTH.
However, asking family members to change their Windows
configuration is a touchy subject (apparently this applies to
employees as well). So some legit users send mail through smtp servers
at Cox or Earthlink. But neither ISP prevents domain forgery, so I can't
guarantee that no forgeries will ever come through those ISPs. While less than
ideal, at least the -all eliminates forgeries from Asia, etc.
The SPF for AOL is:
aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24
ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24
ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
All AOL mail ought to originate from their servers. However, millions of
AOL users put an AOL address as the return address in whatever mail system
they happen to be using. AOL is marketed as internet for those who
are clueless when it comes to computer tech - so asking them to configure
and foreign MUAs they use for SMTP AUTH is probably asking too much. And
telling them they can only send mail using AOL won't go over well either.
While the AOL people try to figure out how to bring their customer base
forward into authenticated email, at least you know which AOL email
actually came from AOL.
For what it's worth, my SPF checker has a reject_neutral option which
lists domains for which neutral is treated as 'fail'. AOL and Hotmail
are in that list :-) I've never met an AOL customer that knew it was
possible for them to send email without using AOL. And the whole point
of Hotmail is to send mail using their Web based MUA. I've never noticed
a false positive from rejecting neutral for AOL and Hotmail.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.