spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Handling of -all

2005-02-09 14:50:17
from [Scott Kitterman] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Jim 
Fenton
Sent: Wednesday, February 09, 2005 4:35 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Handling of -all


I think we're all aware that SPF does not work well with message
forwarding (college alumni addresses and the like).  Given that's the
case, how should -all be handled?  Two possibilities I can think of:

(1) Originating domains that potentially send through forwarders should
not publish a -all policy, since some recipients might inappropriately
reject forwarded messages.  Since it's hard to know what addresses are
forwarded, -all policies would probably be quite rare.

(2) SPF verifiers should not reject mail that does not match a -all
policy, because of the possibility it came through a forwarder.

In other words, should the domain publish a gentler policy to allow for
forwarders or should recipients apply a gentler response?

-Jim


I would offer a third possibility:

(3) Originating domains MUST publish -all policies only after the understand
the potential consequences and believe that the risk of some messages is
worth the benifits associated with the policy (that would be me by the way).

SPF verifiers MUST  only check SPF at the boundary of the receiver's
network.  Since forwarding is under control of the reciever, not the sender,
the forwarder is the boundary.  SPF verifiers should whitelist known non-SRS
forwarders (using trusted-forwarder.org or some local policy).

SPF verifiers SHOULD reject messages that fail a -all test.  The rejection
message to the originating MTA will enable the sender to understand the
problem and get the message delivered (this has been the case for every
forwarding related rejection I've helped out with on spf-help).  SPF
verifiers MUST either deliver the message to an end user (an end user spam
folder is fine with me) or reject the message.  SPF verfiers MUST NOT bounce
messages that fail SPF after SMTP time (pretty much by definition, these are
the bounce messages SPF is designed to prevent).

I would put it differently.  The originating domain should only publish -all
if they understand it and mean it.  The receiving domain should accept the
sender policy and implement it.

Scott Kitterman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Handling of -all, Jim Fenton
Next by Date:  Re: What is the status of support, then? (Was: Undefined symbols SPF_<blah> in libspf2-1.2.0), ecsd
Previous by Thread:  Handling of -all, Jim Fenton
Next by Thread:  Re: Handling of -all, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]