spf-discuss
[Top] [All Lists]

Re: Using "v=spf1/scope1,scope2,scope3 " as ascoping syntax

2004-11-01 16:17:29
Mark Shewmaker wrote:
 
I meant to propose that:
 v=spf1/mfrom,pra stuff
be considered invalid, so the above would be rewritten as:
 v=spf1 op=pra stuff

Yes, "spf2.0/mfrom,pra" resp. "v=spf1/mfrom,pra" would be the
same as "v=spf1 op=pra" (or any op=... incl. pra among others).

Why do you want to consider "v=spf1/mfrom,pra" as invalid ?

Old implementations won't grok it, but that's not "invalid",
it's more like "stupid" (op=pra at least works for mfrom in
old implementations.  For 'old' read 'all existing' ;-)
 
Which is compatible with "op=" as discussed elsewhere.

Yes.

If I'm wrong

No, it was me.
 
Avoiding the need for that version bump lessons the marketing
distraction/confusion of spf1 vs. spf2.0

If Harry / Jim / Meng adopt your idea for Sender-ID, replacing
"spf2.0/" by "v=spf1/" everywhere, with "backward compatibiltiy"
notes for the two cases "v=spf1/mfrom" and "v=spf1/mfrom,pra".

eliminating any perceived need of publishers to "opt out" of
pra scope with an spf2.0 placeholder record.

That's the essential point of your idea.  But the PRA problems
don't go away for those who want it:

| In order to pass the PRA variant of the test, a program that forwards
| received mail to other addresses MUST add an appropriate header that
| contains an email address that it is authorized to use.  Such
| programs SHOULD use the Resent-From header for this purpose.

All forwarders worldwide hit by any sender with a PRA policy
MUST add Resent-Sender (or do something with the same effect).

SRS alone is not good enough.  Forwarders include news servers
in the case of moderated newsgroups, mailing lists, the works.

they could push either "v=spf1 op=pra blah" for the normal
case

That's not normal.  That's somebody hit by a phishing attempt
burning all bridges behind him.  And bounced by all forwarders
before him.  Not exactly the dream scenario for amazon.com or
ebay or citibank.  While they hate phishing they still want to
reach some of their customers.

Okay, you meant "what they consider as normal", and that's not
what I'd consider as normal ;-)

No need to make a confusing version change just to push their
agenda, and it would be less likely that such a document 
could go on the standards track too, were there to exist an
option to do the same thing that didn't require a version 
change.

And receivers couldn't sue their providers if PRA deletes all
mail from amazon / ebay / citibank as soon as it went through
a non-PRA forwarder.  After all the PRA publisher wanted it so.

Like I want my mail to be deleted if it's forwarded by non-SPF
forwarders.
            Bye, Frank