On Wed, 2004-11-24 at 10:20 +0100, Alex van den Bogaerdt wrote:
a) You saying it's "valid mail" does not make it valid mail.
True. The fact that it's mail which the sender in question did actually
send, which some third party rejected due to the SPF record, makes it
'valid mail'. All terminology is of course debatable, but that's not the
point.
b) I do not deceive people. I tell people what spf does and does not do.
I have nothing to do with the wizzard so don't say that I deceive anyone.
Only yesterday I found someone who'd installed an SPF record after
looking at the SPF wizard, and without really thinking about it for
themselves. After I got them to look at what SPF actually does and apply
their _own_ brain rather than just using the wizard, of course they
removed the record.
So, you've convinced people that cannot think for themselves. Hurray.
Not really, no. I got someone to think for himself when previously he
just hadn't bothered to do so. It wasn't someone with whom my opinion
carries any weight -- it was a purely technical discussion in which I
pointed out what was actually going on.
Then they made a comment along the lines of "we just need email to be
signed by the outgoing mail servers, and the signatures checked by the
recipient". Which is of course true -- so I pointed them at DK and IIM.
And because they cannot think for themselves, I have to implement DK?
If they can think for themselves they won't be rejecting mail due to SPF
failures -- and in fact most people are _not_ rejecting mail due to SPF
failures, thankfully. So yes, you should probably implement _something_
different -- and DK seems like one of the sane alternatives.
The alternative is to place a guard next to the backdoor and shoot
to kill. I prefer the locks. That means I can no longer just enter
my neighbours house, so be it. It is sad but it is a reality.
I'm sorry, your analogy is lost on me. Why are DK and IIM and SES like a
I do not compare my analogy to DK, IIM, SES, FBI, CIA, TLA, USA or any
other lettersoup. You have trimmed the relevant portion away so I suggest
you look up the earlier post that includes both parts of the analogy.
It still doesn't make sense. My neighbour has a key. Surely _that_ is
your alternative if you want your neighbour to be granted access? The
neighbour doesn't have to enter your premises directly by stepping
across the threshold from his own -- it doesn't matter where he comes
from if he uses keys. The key asserts his right to be there; just like
DomainKeys. Isn't that a better analogy?
When I use domain keys, and when I send mail to you, and when this
bounces, where does the bounce come from?
I'm not entirely sure what you're asking. If you send mail to me and it
bounces, where it comes from depends on where and why it bounces. In
practice my systems will almost never generate a bounce during normal
operation -- either they'll reject mail, or they'll accept and forward
it.
If someone else _forges_ mail claiming to be from you and they send it
to my mail server, my mail server should reject it. The spam-robot
trying to send the mail will then move on to the next address -- no
bounce will be generated. For an example of this, try sending MAIL
FROM:<dwmw2(_at_)infradead(_dot_)org> to somewhere like sourceforge.net.
If you have further technical questions (or could refine this one so I
can be more helpful in my answer) please don't hesitate to ask.
--
dwmw2