spf-discuss
[Top] [All Lists]

Re: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF

2004-11-22 11:59:03
On Mon, 22 Nov 2004 17:47:17 +0100, Hannah Schroeter 
<hannah(_at_)schlund(_dot_)de> wrote:

Or if I, using my legitimate email address, send mail to someone and the
mail doesn't come through, it's a false positive - unless the recipient
actually *intended* to filter my mail (like killfiled me, e.g. using
Sieve).

For SPF, especially the forwarding problem is at risk of creating false
positives. Solutions like SRS put the burden on parties that might not
be interested in SPF at all. I'd think a solution would be more
appropriate that keeps the burden at the interested parties (i.e. the
sender's domain owner who wants to control the domain usage, and/or the
recipient's MX operator) *only*.

SES *could* be such a solution perhaps, but as the state of affairs are
now, some domains publish spf with -all, others reject spf fail, and
only a few forwarder sites do SRS. That's a bad order of things.

Things should go on a more realistic route: Reality is there *are*
different forwarding setups, by far not all of them run SRS, perhaps
not even anything spf-related at all. If your goal reality is a sender
controlled level of 2821-mail-from authentication w/o false positives,
I'd rather suggest things like solve forwarding first, in whatever way,
*then* start publishing -all and rejecting spf fail. Not the other way
round, as it seems to be done, unfortunately.


Hannah,

The owner of the sender domain does not control anything on the
recipient side. They publish a record that states their intent or
policy as to what hosts are allowed to send mail on behalf of the
domain. Nothing more and nothing less. They have no control over what
the recipient MTA does as a result of that published policy. The
specification indicates how an SPF record should be formatted. It
indicates what constitutes a pass/fail/softfail/neutral. Nowhere does
the specification indicate what the recipient MTA should do with the
mail.

So, I am greatly amused at the handful of joe job bounces I have seen
in our bounce logs. The remote MTA recorgnized that the Mail From: was
spoofed and even indicated that in the bounce message it sent us.
What's wrong with this picture?

As usual, just my 2 cents.

Mike


<Prev in Thread] Current Thread [Next in Thread>