Oops! I made a mistake! :)
I don't use "?" or "~", that's what I get by going from memory.
"?" is neutral, "~" is soft fail
"?" is neutral, "~" is soft fail
"?" is neutral, "~" is soft fail
"?" is neutral, "~" is soft fail
"?" is neutral, "~" is soft fail
Thanks for the correction.
Guy
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Greg
Connor
Sent: Thursday, October 28, 2004 7:01 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] I hate to interrupt all this for something
practical, but.... we need a concise, easy-to-follow set of SPF instructions
in file format - anyone able to help?
guy wrote:
The "a:SMTP.ISP.net" tells the world to trust SMTP.ISP.net (since the
default is "+"). But this is not correct. Everyone that has
access to the SMTP server can forge your email address. You should
use
"~a" which is neutral, but neutral is what you get if you have no SPF
record. This is stupid. I should be able to indicate my ISPs SMTP
servers can be trusted more than any other SMTP server on the
Internet,
but I can't trust it 100%. So, I use +, which is wrong. Oh, I have
read that some ISPs fail on neutral. You could use "include:ISP.net"
if your ISP has SPF records. Still the same neutral issue.
I wanted to point out that "?" is neutral, "~" is soft fail. People aren't
supposed to reject on "?" or downgrade your mail, but they may subject it to
normal spam filtering.
On Thu, 28 Oct 2004, Andrew W.Donoho wrote:
As to Guy's comment, yes, he is right. Yet in the spirit of rebuffing
the perfect as the enemy of the good, I would still suggest that it is
better to put some bounds on who can forge your domain name versus no
mechanism at all. At least with my proposal, you have a business
relationship with the ISP. That should allow you to discuss and stop
any abuse of your domain that originates from their server. This is
much, much better than nothing.
Right, you have two choices, and neither of them are perfect. Either you
publish their list of servers with a + by which you say "the mail is not
forged, or if it is, we will take responsibility for fixing the problem" and
when problems occur you phone up your ISP and read them the riot act. Or
else
you publish using "?" and the mail sent out through your ISP may be
filtered,
and spf-based whitelisting probably won't work.
Each situation is different, so people will end up going different ways. In
my case I have only a couple user who use the other ISPs, so I have broken
up
my SPF records into per-user records, some of which have ?ptr:isp.net and
others just have mx -all. (If your only connectivity is through an ISP that
blocks port 25, consider the idea of getting an email provider who will let
you connect to port 587 and send through them. Any place you can connect to
port 587 probably has a better authorization story anyway.)
But what everyone has in common is that they should be asking their ISPs if
they plan to comply with RFC2476 any time soon (seeing as how it's been 6
years and we've all been quite patient)
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com