On Fri, Nov 26, 2004 at 03:39:05PM -0000, Richard Bang wrote:
1. If I don't control all the outbound nodes for my domain I publish ?all
?all is a way of saying "when you've reached this, continue as if
no SPF record was present at all"
~all is a way of saying "I'm not YET sure I am in control of all nodes so
if you reach this, it may be a forgery but I'm not sure"
In other words, specifying ?all is mostly useful when you only want to
auto-whitelist your hosts whereas ~all is mostly useful when you plan
to switch to -all (eventually)
2. If I think that recipients may forward my mail to another system which
will not apply SRS at al, and I am happy with that, I should publish ?all.
s/and I am happy with that/and I support this/
3. If I think that my domain may be spoofed, I publish -all and accept that
.forward will cause bounces. I believe they should be fixed and do SRS or an
other, but I find spoofing of my domain unacceptable.
I think this is correct
4. If I choose to reject SPF failures, I accept that some valid mail may get
bounced due to 2 or 3 but I accept that the domain admin for those sites is
happy with that and so are his users.
If you define that mail as "valid", then yes. I think that the domain policy
clearly defines that mail as "invalid".
Given the above, why cant I reject -all. The domain admin can define which
behaviour they want knowing the -all will always get a reject for failures.
You mean to say: If they publish -all, they {will|should} accept that I reject?
If so: yes.
I would think that saying:
"-all will always generate rejects if SPF fails, apply caution when using
it" would be sufficient.
Or: "... make sure you've defined all your mail outlets"
cheers,
Alex