RE: I hate to interrupt all this for something practical, but.... we nee

I suspected that was what you meant... I wanted to note it in case someone 
stumbles on that in the archive later and becomes confused.
Also, part of the spf implementation guidelines is a requirement that ? 
Neutral results should never be downgraded and should be treated just as if 
SPF didn't exist.  This is important, because if people start downgrading 
Neutral, others might be afraid to publish a less-than-complete record.  We 
really prefer complete records, but given a choice of no record or a 
?include:comcast -all record I will take the incomplete record over the no 
record any day.
I wonder if there is still a requirement on the books for Neutral to be 
treated really neutrally, and whether this is enforced anywhere.
gregc

--guy <pobox(_at_)watkins-home(_dot_)com> wrote:

> Oops!  I made a mistake!  :)
>
> I don't use "?" or "~", that's what I get by going from memory.
>
> "?" is neutral, "~" is soft fail
> "?" is neutral, "~" is soft fail
> "?" is neutral, "~" is soft fail
> "?" is neutral, "~" is soft fail
> "?" is neutral, "~" is soft fail
>
> Thanks for the correction.
>
> Guy
>
> -----Original Message-----
> From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> [mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Greg 
> Connor
> Sent: Thursday, October 28, 2004 7:01 PM
> To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> Subject: Re: [spf-discuss] I hate to interrupt all this for something
> practical, but.... we need a concise, easy-to-follow set of SPF
> instructions in file format - anyone able to help?
>
> >  guy wrote:
> > >> The "a:SMTP.ISP.net" tells the world to trust SMTP.ISP.net (since the
> > >> default is "+").  But this is not correct.  Everyone that has
> > >> access to the SMTP server can forge your email address.  You should
> > >> use
> > >> "~a" which is neutral, but neutral is what you get if you have no SPF
> > >> record.  This is stupid.  I should be able to indicate my ISPs SMTP
> > >> servers can be trusted more than any other SMTP server on the
> > >> Internet,
> > >> but I can't trust it 100%. So, I use +, which is wrong.  Oh, I have
> > >> read that some ISPs fail on neutral.  You could use "include:ISP.net"
> > >> if your ISP has SPF records. Still the same neutral issue.
>
> I wanted to point out that "?" is neutral, "~" is soft fail.  People
> aren't  supposed to reject on "?" or downgrade your mail, but they may
> subject it to
>
> normal spam filtering.
>
>
> On Thu, 28 Oct 2004, Andrew W.Donoho wrote:
> > As to Guy's comment, yes, he is right. Yet in the spirit of rebuffing
> > the perfect as the enemy of the good, I would still suggest that it is
> > better to put some bounds on who can forge your domain name versus no
> > mechanism at all. At least with my proposal, you have a business
> > relationship with the ISP. That should allow you to discuss and stop
> > any abuse of your domain that originates from their server. This is
> > much, much better than nothing.
> Right, you have two choices, and neither of them are perfect.  Either you
> publish their list of servers with a + by which you say "the mail is not
> forged, or if it is, we will take responsibility for fixing the problem"
> and
>
> when problems occur you phone up your ISP and read them the riot act.  Or
> else
> you publish using "?" and the mail sent out through your ISP may be
> filtered,
> and spf-based whitelisting probably won't work.
>
> Each situation is different, so people will end up going different ways.
> In
>
> my case I have only a couple user who use the other ISPs, so I have broken
> up
> my SPF records into per-user records, some of which have ?ptr:isp.net and
> others just have mx -all.  (If your only connectivity is through an ISP
> that
>
> blocks port 25, consider the idea of getting an email provider who will
> let  you connect to port 587 and send through them.  Any place you can
> connect to
>
> port 587 probably has a better authorization story anyway.)
>
> But what everyone has in common is that they should be asking their ISPs
> if  they plan to comply with RFC2476 any time soon (seeing as how it's
> been 6  years and we've all been quite patient)
>
>
> --
> Greg Connor
> gconnor(_at_)nekodojo(_dot_)org
>
> Everyone says that having power is a great responsibility.  This is a lot
> of bunk.  Responsibility is when someone can blame you if something goes
> wrong.  When you have power you are surrounded by people whose job it is
> to take the blame for your mistakes.  If they're smart, that is.
>                 -- Cerebus, "On Governing"
>
> -------
> Sender Policy Framework: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta
> features SPF and Sender ID.
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
>
> -------
> Sender Policy Framework: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta
> features SPF and Sender ID. To unsubscribe, change your address, or
> temporarily deactivate your subscription,  please go to
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>