On Fri, 22 Oct 2004 16:57:15 -0500, Seth Goodman
<sethg(_at_)goodmanassociates(_dot_)com> wrote:
Your MTA, your rules. That goes without saying and nothing will ever change
that. A sensible recipient is also interested in what the sender's policy
is. Why? Because not all senders are spammers and some of the sender
policies are strict enough to meet your local policy requirements. Since
sender authentication at this point in time does not consist of a single
technique, senders employ a variety of mechanisms, some of which give a
higher degree of authentication than others. The recipient can look at the
sender policy and see if it is strict enough to meet their guidelines and if
the validation mechanism is acceptable to them. If it is, it would make no
sense to use a validation mechanism incompatible with the authentication
scheme used by the sender. An example is insisting that the incoming mail
pass a DK signature validation, even if it was S/MIME signed. You can do
that, but it's a poor implementation choice. While no one can force a
recipient to do anything, there is every reason to believe that they will
act in their own self-interest and look at reasonable sender policies.
If you want to apply every SPF record to the PRA scope, even though the
domain owners did not intend for them to be evaluated that way and it will
cause you to reject a fair amount of legitimate mail, that is your choice.
This makes me wonder what your actual goal is here. Is it to use PRA at any
cost, despite its rejection by the larger technical community, or to
properly authenticate various identities for incoming mail?
Seth,
I'm using your posting to this thread as the starting point for my
reply. While you are correct in saying "Your MTA, your rules", I think
that is a pretty narrow view. I also view what Phillip wrote as
troubling.
The goal is to get the correct outcome for both (legitimate) sender
and intended recipient. Choosing to ignore or misuse a standard is
problematic.
One need only look at earlier days when there was a significantly
larger number of email gateways to non (rfc) compliant email systems.
We used to say that gateways were designed to lose information.
So let's consider the case of a piece of mail (important one for
arguments sake) that didn't get through. Phillip is tasked by his CEO
to troubleshoot why the email didn't get through. I'm tasked by my CEO
(who sent the email). I find out that the email was rejected by
Phillips MTA implementation which improperly applies PRA to the SPF1
records published by my company.
At this point I will go back to my CEO and tell him that Phillips
implementation is broken and incorrectly rejecting incoming mail that
meets the SPF1 specifications. I would suggest that he speak with
Phillips CEO in the hope that Phillip arranges for an implementation
that follows the specification.
We probably send all of about 50 emails a month to Verisign so meeting
Phillips PRA implementation isn't high up on my radar screen.
Let's talk about Microsoft and implementing inbound PRA checking. My
inclination is to believe that the first implementation will be for
MSN/Hotmail.
If something is broken and we start getting calls to our customer
service group then my team will look into the issue. If we find that
mail is not getting through because of improper checking (not
specified in the published standard) then I will kick it upstairs as a
political/business issue rather than a technical one. In the interim
we would be telling people that the mail is getting rejected due to a
technical issue at the recipients ISP/mail provider. This would get
pushed up the food chain on both sides because it would very quickly
involve large numbers of users impacted.
The important thing to remember (and which seems to get forgotten
sometimes) is that many (most?) of us participating here have
obligations to individual senders and recipients. Not contractual ones
necessarily but ethical ones. If one party is following the standard
and the other is not then it is fairly clear which party needs to fix
it's implementation.
Now, if my CEO says fix it so the mail gets through to MSN/Hotmail
because they are too important and won't change how they do things,
I'm going to ask what he wants done if the fix breaks mail to other
recipient MTAs that do follow the standard. In that respect I'm a
hired gun and can live with the issues either way. I may have my
opinions but as long as the person (up the food chain) that makes the
call accepts the consequences then I won't lose sleep over it.
Mike