spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF

2004-11-19 11:56:49
from [william(at)elan.net] [Permanent Link] 

On Fri, 19 Nov 2004, Vivien M. wrote:


The domain owner is setting the policy.  Your domain will not 
allow you to do what you want to do.  It is not your option.  
Who owns the domain?  Who "authorized" you?  The only way to 
"authorize" you is to fix the spf records.  Only the domain 
owner can do that.  And the domain owner is smart enough to 
NOT allow you to do that.  So, they did good.


That, right there, is the issue.

Dave, myself, and others (including, we speculate, most of the general
public out there) are defining 'authorized' as 'giving <some person> an
email account at <some domain>'. Thus, if I have a 
vivienm(_at_)somedomain(_dot_)net
address, I am implicitly authorized to use that address by that definition.


I think SPF people are saying that they understand this definition to be:

 'authorized' as giving <some person> an  email account at <some domain>
 and in exchange <some person> agrees to abide by the policies of
 <some domain> when using email account

This understanding is already widely used because whenever you see bad
email from user(_at_)somedomain you first try to contact abuse(_at_)somedomain
so its assumed that administrator of <some domain> has rights over
who is allowed to use email accounts of their domain and thus sets
a policies that those users are expected to abide by

What is being done different by SPF is that the policies of how email
account is to be used are expressed in technical terms (ip address 
that are allowed to be origin of email with given account in envelope
from). User can agree to those policies and continue to use given email 
account as specified in the policy or he can disagree but in that case 
he'd be violating published policy and thus is subject to have his account 
terminated (well this is extreme; so spf takse different approach and 
say that recepient can reject messages that violate published policy).

I'm primarily concerned however that ISPs might be adding SPF records
to their domains without notifying their userbase about this and without
fully explaining to them the aspects of SPF policies and limitations
that these policies might be putting on the users. This is like ISP making 
modification to their AUP and not notified those who use its services 
(most ISPs have clause that its their responsibility to notify all those 
who agreed to AUP about the changes).

---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Softfail problem at Amazon, Guy
Next by Date:  RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF, Vivien M.
Previous by Thread:  RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF, Benjamin Franz
Next by Thread:  Re: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF, Shane Rush
Indexes:  [Date] [Thread] [Top] [All Lists]