spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sendmail white paper

2004-11-21 08:52:54
from [wayne] [Permanent Link] 
In <1101041317(_dot_)8660(_dot_)24(_dot_)camel(_at_)code3> James Couzens 
<jcouzens(_at_)6o4(_dot_)ca> writes:


They recommend ~all instead of -all.

Bah! What good is it?


Publishing -all is not wise.  SPF is _BROKEN_ please remember this.


No, SPF is not "broken".  It is a Sender Policy Framework that can
accurately describe a very wide range of Sender Policies.  Since the
syntax of SPF was locked down last year, inventions such as
specialized DNS servers to do rate limited exceptions and SES checks
have been invented, both of which increase the range of Sender
Policies that SPF can accurately describe.

Now, for your Receiver Policy, it may not be wise to reject email on
Fail, if there was any chance that it could have passed.  (That is, it
is always perfectly safe to reject email if the SPF record is
"v=spf1 -all".)  It might also be wise to try to determine the
forwarders that your mail users forward mail to your system.



SPF can only be accurately used to give an IDEA as to the legitimacy of
an e-mail.  Any positive or negative action taken based on an SPF result
is risky business, and I'm disappointed to see people publishing -all,
and further to see people complaining about email being dropped by
servers treating -all in a nazi like fashion and rejecting email which
is clearly legitimate although also clearly a "forgery" in the sense
that it came through a forwarder.


And here, you go on to describe the problems with Receiver Policies,
not Sender Policies.  There are also people who are going to reject on
SoftFail, Neutral, and None.  There are people who will reject your
email because your rDNS name is in what they consider to be the "wrong
format" (e.g. might be dynamic).  There are also sorts of Receiver
Policies that can cause problems.

If you claim that "Any positive or negative action taken based on an
SPF result is risky business", why do you only admonish people for
publishing -all?  Why not claim that people shouldn't publish publish
records that can allow a Pass too?  After all, as you say, any
positive action based on the SPF result is risky business.



-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: draft-schlitt-spf-01 now available, terry
Next by Date:  Re: Sendmail white paper, Chuck Mead
Previous by Thread:  Re: Sendmail white paper, James Couzens
Next by Thread:  Re: Sendmail white paper, Chuck Mead
Indexes:  [Date] [Thread] [Top] [All Lists]