----- Original Message -----
From: "Andy Bakun" <spf(_at_)leave-it-to-grace(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, October 31, 2004 6:53 AM
Subject: Re: [spf-discuss] Re: purely dual-format approach
On Sat, 2004-10-30 at 18:06, Frank Ellermann wrote:
as long as the scoping modifier can not remove the
MAIL FROM or HELO scopes, a sc= modifier is completely
compatible with v=spf1.
That's a new restriction you have just added, it wasn't
part of my discussion with Roger. Of course you can add
modifiers which have no effect at all in pure MAIL FROM
evaluations.
Just to be clear, you assert that:
v=spf1 sc=pra -all
when evaluated against HELO and MAIL FROM is equivalent to
v=spf1 ?all
or no records at all, correct?
The act of publishing records with v=spf1 implies that you want the
checks to occur against the things that SPF checks, in the same way that
publishing MX records implies (nevermind that it explicitly says) where
you want mail delivered. If you don't want the checks to occur, don't
publish v=spf1 records.
Correct - publishing v=spf1 means that you want mailfrom to be checked using
v=spf1. Publishing v=spf1 with sc=pra+ (or similar) means you want mailfrom
*and* pra to be checked using v=spf1. Publishing v=spf2 means you want
*only* pra to be checked using v=spf2.
It doesn't matter what you put in your record - if I decide to check my
incoming mail's v=spf1 records with a pot of rasberry jam - you can't stop
me. Maybe I know what I'm doing and maybe I don't, but the fact remains that
these are *public* records and available for anyone to mangle as they want.
The legal protection is there if an ISP decides to mess my mail with PRA
checks that I haven't defined in my v=spf1. Besides the people I'm sending
mail to will soon shout at me and their ISP and action can be taken to bring
the IPS back into line.
All we should be doing here is protecting the million or so existing v=spf1
records. I don't know how many implementations of milters exist atm, but
it's small by comparison and anyone who has implemented one knows it's
beta - so will be expecting patches, rewrites, etc. We can not touch the
spec for writing records for v=spf1 - it's in the wild now and is far beyond
our control.
I still think it would be a big mistake to mention pra by name in the spec.
If pra dies, we'll have an un-necessary paragraph or two in the spec. We
should make the modifier accept a list of 3letter test identifiers and if
one is mentioned that doesn't exist - it gets ignored. If the whole
modifier doesn't exist, the default is as per v=spf1 spec only.
All the suggestions so far seem to need existing v=spf1 record publishers to
*do* something. I think this is totally wrong. The suggestion here means
the existing v=spf1 records are unaffected, they don't have to add a
modifier or second record to do anything about pra, unless they want to use
pra.
We now need Meng to persuade MS to write their software to comply with what
can be proposed as a "MS-friendly" solution. They can promote publication
of v=spf1 with this modifier and the market will choose - we get the
additional promotion of v=spf1 and they get .... well whatever they get :-)
Slainte,
JohnP.
johnp(_at_)idimo(_dot_)com
ICQ 313355492