--Nick Phillips <nwp(_at_)nz(_dot_)lemon-computing(_dot_)com> wrote:
On Fri, Dec 31, 2004 at 02:47:53AM -0800, Greg Connor wrote:
--Øyvind Henriksen <oyvind(_at_)increo(_dot_)no> wrote:
If any user logged on to their network is allowed to send mail out as
anybody (meaning they don't allow third-party relaying, but they don't
have any real anti-forgery protection on outgoing mail) then include is
not really what you want. Include says "Yes it really was this person"
-- in other words, we completely trust that ISP to not allow forgeries.
If a message from "online.no" *MIGHT* be from the legitimate user, but
also might be forged, don't put include:online.no -- put
?include:online.no instead. That way if the check of "online.no"
against the current IP results in a PASS, then the ultimate SPF result
for the customer's domain would give back a "neutral" or "I don't know"
response. ?include is great because it allows you to put -all at the
end more often and with less problems -- but if you're putting ?all at
the end instead of -all then ?include doesn't add value.
I think you're falling into the trap of perverting the meaning of SPF,
as many others seem to be doing these days.
Nice to meet you too. By the way, I have been active on this list for over
a year now. Maybe our ideas are differently-flavored, but I wouldn't
consider them perverted :)
An SPF PASS is supposed to mean "The host that sent this mail is
authorised to send mail claiming to be from this domain", not "you can
trust that the user who this message claims to be from really sent it".
Neutral was supposed to be for hosts which might conceivably someday
really send mail from this domain, but you're not sure. i.e. that while
you don't really expect or want those hosts to send mail claiming to be
from your domain, you might not be able to avoid it for now.
I think that's a good description of the situation Øyvind described.
Remember, it's not his own ISP that is being listed, but some other ISP's
outgoing mail servers. And, this was for a default record for a large
number of domains, not based on any specific knowledge of the users of that
domain, just that they happen to subscribe to service in the same country
as these other big-name ISPs.
My intent was really to give Øyvind some ideas to consider... Giving a
neutral result for the main Norway ISPs might be as good a safety net as
?all and a lot more effective. Whether to make it ?include or +include is
a decision he needs to make... I just threw out an alternative to consider.
That would include e.g. dynamic IP pools from your users' home ISPs that
you'd really rather they didn't use, but aren't able to move the users
over to you SMTP AUTH system just yet.
If on the other hand it is known that a particular IP will legitimately
be sending mail from your domain and this is an intended method for your
mail to get out, it should get an SPF PASS, irrespective of what auth
they do. Your domain should then get an appropriately bad reputation if
that IP sends out dodgy mail.
OK, now THIS I can agree with. While I wasn't sure where you were going
with the first two paragraphs, this last seems the closest to what I was
thinking.
If you (domain owner) are willing to "trust" the mailserver operator enough
to +include their servers, then 1. you can say the mail coming from that
server and labelled with your domains is really yours, hence an SPF PASS,
and 2. you are willing to be held accountable for stuff coming out of that
mail server even if it turns out to be forged.
Also we should keep in mind that Øyvind is the steward, not the actual
domain owner, so if he's going to apply a default record to hundreds
(thousands?) of domains, neutral is something to consider. It preserves
the "status quo" for most users without giving them a bad reputation for
dodgy mail from .no dialups, coffee shops, etc...
Cheers,
Nick
Thanks. All is well.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>