From: william(at)elan.net
Sent: Sunday, January 02, 2005 3:26 AM
On Sat, 1 Jan 2005, Stuart D. Gathman wrote:
On Sat, 1 Jan 2005, Nick Phillips wrote:
It's your point 1 here that I think is misplaced. A PASS is
not saying that
mail coming from that server with your domains on it is
really yours, it's
saying that it could be, as that server is authorised to send
mail from
your domains.
I disagree. A NEUTRAL says that it could be yours. A PASS
says that to the
best of your knowledge and ability (i.e. assuming your servers
weren't hacked,
etc), the mail is yours. If your mail might go out via other
ISPs without
meaningful authentication (i.e. that prevents cross customer forgery),
then they should be listed with '?'.
You're not correct. SPF does not look at local parts and SPF records for
domains are often very widerange to allow any user from domain to be
authenticated. As such it does not provide very strong sense of the email
is truly yours and is not a good way to judge reputation on.
I disagree with your analysis. Nowhere did Stuart mention authenticating
local parts. SPF is a designated sender scheme for domains. To the extent
that a domain is in control of its outgoing MTA's, and as long as an
ancillary protocol is used to deal with forwarding, SPF gives a perfectly
good _domain_ authentication that is suitable for reputation assessment.
Depending on the ancillary protocol chosen, the result is quite different.
If SES is used, the original domain can be authenticated in the presence of
forwards and spam will be attributed to the originating domain, as it
should. If SRS is used, only the last hop will be authenticated and any
spam will be attributed to the last hop, even if it is a forwarder.
To the extent that domains designate third party MTA's that allow their
customers to forge any domain they choose, this weakens the policy statement
of the SPF record. For SPF to work best, a domain should provide SMTP AUTH
so that only MTA's under its direct control are designated as permitted
senders.
--
Seth Goodman