spf-discuss
[Top] [All Lists]

Re: [ietf-clear] Re: Make CSV backwards compatible with legacy SPF records?

2004-12-01 17:45:21
On 11/18/2004 11:38 AM, wayne sent forth electrons to convey:

In <BDC23797(_dot_)E46D%cdhutzler(_at_)aol(_dot_)com> Carl Hutzler 
<cdhutzler(_at_)aol(_dot_)com> writes:

On 11/18/04 10:44 AM, "wayne" <wayne(_at_)midwestcs(_dot_)com> wrote:

Now, the folks involved with CSV (Dave C, John L, Doug O, etc.) claim
that checking the HELO domain against SPF records isn't as good as
doing CSV checks.  Despite having listened to them explain this, and
read their specs several times, for the life of me, I can't see why
SPF checks against the HELO domain isn't just as good.

Can you explain the difference to me?

Is this difference significant enough to justify having all your
whitelisted domains implement two very similar systems?...

If someone can explain the differences to me, I would be happy, but
the discussions on the MARID list and during the Jabber sessions lead
me to believe that, for whatever reason, I'm just not getting it.
Repeating those same explanations will probably not help me.
Here are some simple explanations of why checking the HELO domain against SPF records isn't as good as doing CSV checks.

This coming from someone who thinks it's a good idea to try (and thinks he came up with the idea) but recognizes it has weaknesses, which I've attempted to address a long time ago in this thread. I believe standardizations I suggested address most but not all of them.

I. Surely, you understand that the SPF record discovery algorithm is inherently less efficient/more costly than CSV's. That's obvious, no? How many DNS queries does it take to resolve elvey.com's SPF record to a list of IPs? A dozen or so?

II. Here are some simple, concrete examples of where checking the HELO domain against SPF records isn't as good as doing CSV checks. 1)The domain owner used an SPF wizard (M$' or pobox's) to create an SPF record. The wizards are buggy. They don't take steps to ensure that the owner creates an SPF record that will match the HELO domains his servers use.

2)The SPF record contains ?all, or ?ip4:. We need a standard that defines whether these should be ignored. (IMO, yes)

3)The SPF record contains +all. We need a standard that defines whether this should be ignored. (IMO, yes)

4)The SPF record contains +63.0.0.0/5, or +63.0.0.0/8, or +63.0.0.0/16 or +63.0.0.0/24. We need a standard that defines whether these should be ignored. (discussed earlier in this thread.)

5) Because of issues such as 1-4, and others, a CSV record is more amenable to being the basis of accreditation and reputation.

III. SPF provides no mechanism for determining how to determine a domain's reputation. CSV does.

Note, there are other *important* differences (SPF checks against HELO are inherently much more vulnerable to DNS security attacks than CSV; the meaning of "checking the HELO domain against SPF records" is vague; a CSV record is more amenable to being the basis of accreditation and reputation ...) IMO, a relatively readable explanation of some of these objections and more can be found at: http://www.csvmail.org/email-authentication-summit-comments-P044411.pdf , but it's not as clear as I. - III.