On Thu, Feb 24, 2005 at 06:35:44PM +0100, Julian Mehnle wrote:
I do not agree completely. Although the SPF specification talks about
what receivers should do depending on the various SPF result codes, I
still think SPF is neither a "rejection method" nor a "approval method",
but an "authentication method".
I think the difference between "authentication" and "authorization" is
large enough to say once more: SPF is an authorization method, not
an authentication method.
At the moment there are plenty of domains experimenting with SPF. Some
of those _are_not_ sure, yet they do publish -all.
I think that is good enough reason not to reject. [...]
Although your conclusion is correct, it is for all the wrong reasons. As
I said above, SPF policy never implies that mail should be rejected, but
only that certain mail has unauthentic sender information.
This is simply not true right now. You will be correct, in the
hopefully not too distant future. Right now you are not correct.
SPF fail can mean anything from "the sender wasn't authorized(!)
to use the domain name" to "the published goofed up, with or without
the knowledge of the domain owner"
As long as SPF is a relatively new technology and as long as people
are trying it out, we should discourage rejecting email. Flag it
all you want, just don't reject.
There's a subtile difference between saying "SPF fail does not mean
reject per se" (liberal translation of your words) and "SPF fail should
not be used to reject right now".
Still, if domain owners _do_ publish a "-all" policy, this must be
respected by the receiver in all cases in order to make SPF work. Even if
the receiver generally decides not to reject unauthentic mail, he must
treat mail failing the SPF check as unauthentic mail. Period.
I say again: We've seen many cases where domain owners are unaware.
This is regrettable but true.
People are experimenting with SPF. Experiments go wrong.
When domain owners hear from their peers "Hey, your mail was flagged
as probably unauthorized use of your domain name", they may start
looking into SPF. OTOH if they get their mail bounced, without
knowing about SPF, the introduction to SPF is not a good one.
If publishers publish "-all" without knowing about the consequences, this
Are you aware that the one publishing is not always the one owning?
is what needs to be changed, not any standards-conforming receiver-side
methodology.
There is no standard yet to conform to. I think we are talking
about a BCP here, and we don't agree on rejecting.
You say: No statement about rejecting is made by SPF. I say: We
should make a statement that it is not wise to reject right now.
Alex