spf-discuss
[Top] [All Lists]

Re: Should I include major ISPs in SPF for our hosted domains?

2004-12-31 16:10:55
On Fri, Dec 31, 2004 at 09:42:48AM -0800, Greg Connor wrote:

I think you're falling into the trap of perverting the meaning of SPF,
as many others seem to be doing these days.

Nice to meet you too.  By the way, I have been active on this list for over 
a year now.  Maybe our ideas are differently-flavored, but I wouldn't 
consider them perverted :)

;-)


I think that's a good description of the situation Øyvind described. 
Remember, it's not his own ISP that is being listed, but some other ISP's 
outgoing mail servers.  And, this was for a default record for a large 
number of domains, not based on any specific knowledge of the users of that 
domain, just that they happen to subscribe to service in the same country 
as these other big-name ISPs.

My intent was really to give Øyvind some ideas to consider... Giving a 
neutral result for the main Norway ISPs might be as good a safety net as 
?all and a lot more effective.   Whether to make it ?include or +include is 
a decision he needs to make... I just threw out an alternative to consider.

I didn't read his post all that carefully; it's the impression given
from yours that I was trying to comment on.

Basically it's this bit:

If on the other hand it is known that a particular IP will legitimately
be sending mail from your domain and this is an intended method for your
mail to get out, it should get an SPF PASS, irrespective of what auth
they do. Your domain should then get an appropriately bad reputation if
that IP sends out dodgy mail.

OK, now THIS I can agree with.  While I wasn't sure where you were going 
with the first two paragraphs, this last seems the closest to what I was 
thinking.

that I was trying to emphasize.

If you (domain owner) are willing to "trust" the mailserver operator enough 
to +include their servers, then 1. you can say the mail coming from that 
server and labelled with your domains is really yours, hence an SPF PASS, 
and 2. you are willing to be held accountable for stuff coming out of that 
mail server even if it turns out to be forged.

It's your point 1 here that I think is misplaced. A PASS is not saying that
mail coming from that server with your domains on it is really yours, it's
saying that it could be, as that server is authorised to send mail from
your domains.

Evidently it would be a good idea for us all to try to make sure that those
servers make sure that they do only send genuine mail from as using our
domains, but I think the difference is still important.


Thanks.  All is well.

A curate's egg, at least :-)


Cheers,


Nick
-- 
P.S. Happy New Year!