spf-discuss
[Top] [All Lists]

Re: SpamCop recommends SPF (and/or DomainKeys)

2005-01-26 17:02:44
On Wed, 26 Jan 2005, Julian Mehnle wrote:

We need to work on the public perception of SPF being unreliable or
error-prone.

I've seen two things referenced wrt SPF being "unreliable":

1) mistakes by SPF publisher, buggy SPF client software, and/or 
   incorrect receiver forwarding configuration causes
   incorrect results.

2) publisher can specify results of NEUTRAL or SOFTFAIL.

Number 2 is, of course, a silly objection, and we should point
out that NEUTRAL is no worse than if no SPF were published at all,
and SOFTFAIL could be treated the same if desired.

Number 1 is a real objection.  There are a lot of niggling details
for an SPF publisher and SPF checker to get configured right - and
that is assuming the SPF software is bug free.

A big help for SPF reliability is for *senders* to check their own SPF.
I.e., MTAs should check whether their own outgoing mail connections
would pass SPF if they were the receiver, and abort if there is a
problem.  Unfortunately, sendmail doesn't invoke milter for outgoing
connections.  I can get control at MAIL FROM time via a socket map
(in the same code already doing SRS/SES), but haven't figured out how to get
our IP.  I suppose I could assume a given sendmail instance will always use the
same IP for outgoing mail, and specify it in a config.  Also, I'm
not sure how to tell sendmail to abort and requeue with an informative DSN 
in the sendmail.cf language.

There are fewer configuration nits with domain keys.  It is, of course,
possible to publish the wrong public keys for a domain, and MTAs
should also check outgoing mail to prevent this.  The BIG problem
with domain keys is MTAs that modify the message.  If base85 encoding isn't
recommended because too many MTAs can't keep that character set intact,
then content signatures are going to have a problem.

Finally, when a domain keys client rejects a message because the
signature doesn't match - it should send a DSN.  I REALLY REALLY HOPE
THAT THEY SEND A REAL DSN ALSO CHECK SPF AND SKIP THE DSN IF ENVELOPE FROM IS
FORGED.  I don't want to get all that bounce spam.  It's bad enough with all
the stupid virus scanners telling me about all the viruses claiming 
to be from me - and not even with a proper DSN.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.