-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of David
Woodhouse
Sent: Tuesday, November 23, 2004 5:30 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Sendmail white paper
On Mon, 2004-11-22 at 20:40 +0000, Mark wrote:
When you put it like that, it sounds like it is "my" decision; but it is
really that of the domain owner. I take it an admin who adds "-all" SPF
records is sufficiently confident about the manner in which mail for his
domain is going to be relayed.
You directly contradict what Scott Kitterman says. He says it's OK to
publish '-all' because sites whose users may forward mail to its final
destination there (i.e. most ISPs) should know not to check SPF. But you
say that you should check SPF because sites whose users may _send_ mail
to users who forward mail should know not to publish SPF.
No. I will say again that I have yet to have a message bounce due to SPF
and forwarding and that we see a few cases of this on spf-help, but not much
at all.
You are convinced beyond any possibility of reconsideration that the
forwarding problem is a deal breaker for SPF. You are welcome to your
opinion. I don't think anyone is confused at all about your opinion.
I said that forwarding is a problem for the receiver because it's the
receiver that establishes the forwarding relationship. I don't see any
contradiction between what Mark wrote and what I wrote. Mark prefers SRS as
a solution to the forwarding problem however big that may be. I believe
it's one solution (people argue about good/bad, I haven't a strong opinion
either way). There are other ways to resolve the forwarding problem. In
the end, receivers accepting forwarded mail have to "trust" the forwarder.
It's all whitelisting one way or another.
In practice it's impossible for most large sites to know either whether
they'll send mail to a forwarding address, or whether they'll receive
mail which is forwarded. Thus, one should neither publish nor obey
'-all' records, yet each of you seems to be blaming the other end for
the problem.
I disagree. We aren't each blaming the other end, but since you've no
intention of accepting any arguement other than SPF is broken, it really
doesn't matter.
I understand it's difficult for the ultimate destination to know of _all_
forwarding relationships. It is, in fact, impossible for the sender to
know. It is incumbent on receivers to not kill their customers e-mail (or
accept that they will lose a certain fraction of their customer base). When
implementing SPF on the receive side, one ought to not be stupid about it.
trusted-forwarders.org is a good start in not being stupid about it. So is
dialogue with the user base to establish information about forwarding
relationships. Initially deploying without rejecting on -all is smart.
Once traffic had been inspected for problematic SPF failures and the issues
resolved (whitelisting additional forwarders as necessary), then there will
come a time to reject on -all. That's being smart. That's not saying SPF
is broken. Every transition has some pain and you need to take time to work
through the corner cases.
Now, I think all this is reasonable and doable. You are no doubt already
composing your response to explain how this proves once again that SPF is
broken. Don't bother. There really isn't anything you can say that you
haven't said several times already.
Scott Kitterman