James Couzens wrote:
On Sat, 2004-11-20 at 10:53 -0500, Chuck Mead wrote:
Michael Weiner wrote:
On Sat, 2004-11-20 at 14:14 +0000, Roy Badami wrote:
It seems to be the season for white papers.
Sendmail Inc have released a white paper entitled "Sender
Authentication Deployment Recommendations"
http://www.sendmail.net/tools/Sendmail_Auth_Reco_wp.pdf
Thanks for the URL, and you are right, seems that Christmas is here
early :-)
They recommend ~all instead of -all.
Bah! What good is it?
Publishing -all is not wise. SPF is _BROKEN_ please remember this.
There is much forwarding going on and SPF checks failing, and the number
of domains publishing is still less than 5% of all domains...
I am a domain owner. I implemented SPF with -all. I did it because as
the owner of the domain I have the *RIGHT* to control the use of my
domain name and electronic communication which uses it. I have taken
pains to insure that if someone is trying to forward something that I,
or one of my users wrote their ability to do so will be limited! I
*WANT* to control other person's ability to use my domain in electronic
communications because in my view their use of my domain without direct
association with my designated mail servers is an unauthorized use of my
domain name and I *WISH* more domain MTA's were checking and rejecting
communications purporting to come from my domains that actually do not.
This is my *RIGHT* as a domain owner and I *CHOOSE* to exercise it.
Without SPF I do not see *HOW* I could enforce my rights. Thus, in my
opinion, SPF is *NOT* broken. It is a tool that I am using to enforce my
policy as the domain owner and it works *PRECISELY* the way I need it to
in order to exercise the *RIGHTS* I have chosen to exercise!
SPF if *PRECISELY* the correct tool I require to implement the desired
controls. SPF is *NOT* broken.
*IF* you are chosing to forward emails bearing my domain name and this
causes you a problem perhaps you must reliaze that *I DO NOT WANT YOU TO
BE ABLE TO DO THAT*!
So if a domain owner choses to implement SPF does a checking MTA need to
worry about "so called" "false positive"? Nope... not from my domain...
it was and is my intent that an email from moongroup.com et. al. must
actually be from moongroup.com. Anything else is a pretender and I am
happy for you to drop it right square into the bit bucket!
So was I always this draconian in my views? Nope... but the net is no
longer a happy place full of fluffy clouds and cotton candy! It has
become a place full of dangerous places and persons who are
minute-by-minute plotting ugly and nefarious deeds. I have chosen to
take one of their trademark tricks away from them! If you do not choose
to do the same that is your right but at least do not deny me my rights
or tell me my policy is broken when it achieves *PRECISELY* the
objective I chose!
--
csm(_at_)moongroup(_dot_)com, head geek
http://moongroup.com