spf-discuss
[Top] [All Lists]

Re: Please Don't Reject SPF NEUTRAL

2004-09-18 13:54:07
Scott Kitterman wrote:

'+' essentially says I guarantee it's not a forgery and if
it's spam, feel free to punish me.

While I agree with most of what you've said this is NOT TRUE.
'+' says "my mail may be sent with the implied IP(s)", but it
doesn't say "any mail sent with the implied IP(s) and claiming
to be sent from me is no forgery".

I know that this is your personal interpretation, but it's not
in the specs.  Otherwise something like "+all" would be an
obvious lie.  But "+all" is no lie, it's only stupid.  It does
not guarantee "no forgery".

If you say that "+" implies "feel free to punish me if it's
spam", then where's the problem ?  Either your mail provider
fixes this problem very fast, or it's a spam-friendly provider
allowing his users to forge your MAIL FROM.  And in the latter
case you would leave this criminal organization a.s.a.p., and
don't waste your time with modifying "+" into "?".

SMTP AUTH really has nothing to do with it.

Probably Jonathan was talking about RfC 2476 resp. 2476bis,
<http://www.ietf.org/internet-drafts/draft-gellens-submit-bis-00.txt>

 [6.1, another case of "MAY-be not", sigh]
| The MSA MAY issue an error response to the MAIL FROM command
| if the address in MAIL FROM appears to have insufficient
| submission rights, or is not authorized with the
| authentication used (if the session has been authenticated).

Together with 8.1 there are too many "MAY-be not" in 2476bis,
let's hope that the authors either fix it, or drop this draft.

Someday rejecting NEUTRAL may be fine.

That won't happen in our lifetime, therefore I don't worry.

                         Bye, Frank