-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
Jonathan Gardner
Sent: Friday, September 17, 2004 3:13 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Please Don't Reject SPF NEUTRAL
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 17 September 2004 09:17 am, Scott Kitterman wrote:
Rejecting on a NEUTRAL result is a violation of the spec and it's going
to hurt SPF as a whole. If someone has published a record the
produces a
NEUTRAL result, then they probably have a reason for it. It may be that
they are trying to avoid falsely authorizing e-mails they
didn't send (my
reason) or it may be that they are trying to spam you and piggyback on
someone else's ?all record. There's no way you can know without looking
at the message contents (which is what you would do if there
was no SPF).
Please, just follow the spec. Many of us depend on it.
I think you are seeing the next generation of email come into action. as
Meng has described. It isn't the responsibility of receivers to accept
email. They get to pick and choose what kinds of emails they will accept.
Their only duty is to tell the sender that their message wasn't accepted.
It is the responsibility of the senders to make sure their message gets
through.
If you need your messages to get through, you are responsible for
identifying the mail servers that send email for you and listing those as
'+'. You are also responsible for maintaining your domain name so that it
has a good reputation. If you want to engage with this particular person,
you need to get your domain added to his whitelist.
You should call your ESP and tell them that your mail is getting rejected
because they won't SMTP AUTH their senders.
- --
Jonathan M. Gardner
You may be right about this being the start of the next generation. If so,
people need to slow down. The simplest way for me to solve this problem is
to pull down my SPF records. I'm a small business owner. I do not have
access to an MTA (other than through webmail and that isn't the answer) that
doesn't permit other authorized users to forge my domain if I put a '+' in
my SPF record. Neither my domain host nor either one of my two ISPs. I
can't afford the time or the money (I already invest WAY to much time in
SPF) to go contract for yet another mail service provider.
SPF is defined as the Sender Policy. I've defined my sender policy and I
don't think it's unreasonable to expect people to follow it in a spec
compliant way. There has been lots of discussion on this list about how
important it is for senders to have a reliable, consistent understanding of
what the different SPF receive implementations will do. If the senders
can't anticpate the result of a policy, then they won't publish it.
If people want to write an SPF spec that says reject NEUTRAL, and people buy
into that, OK. But in the mean time, all I ask is that people follow the
rules. There is one thing in your e-mail that I STRONGLY disagree with,
"you are responsible for identifying the mail servers that send email for
you and listing those as '+'." I agree I need to identify the mail servers
permitted to send for my domains, but listing them as '+' may or may not be
a good idea. '+' essentially says I guarantee it's not a forgery and if
it's spam, feel free to punish me. For current shared MTAs, I shouldn't say
that. It would be foolish.
SMTP AUTH really has nothing to do with it. SMTP AUTH just says that I am
an authorized user of the MTA. In every implementation of it I've run into
it says nothing about what mail identities I am authorized to do. The key
is setups to prevent cross-customer forgery. I could do that with POP
before SMTP if I had to.
Someday rejecting NEUTRAL may be fine. Today it's going to hurt SPF
deployment. If I get too many of these before my providers upgrade to allow
me to use '+' more often in my record, then I'll have to pull my SPF records
down.
Scott Kitterman