On Thu, Feb 24, 2005 at 09:17:57PM +0100, Julian Mehnle wrote:
SPF is an authorization method from the domain owner's POV, and an
authentication method from the sender's and receiver's POV.
The only thing the receiver knows is that the sender does, or does not,
allow a certain host to use a certain domain name.
No claim is made about the authenticity of email nor about the address
used.
Granted, some setups allow for a finer granularity (and even email
addresses including the LHS are matched), some setups can be more
reliable than others (your domain only lists your MX records, chances
are you are in control of your own boxes).
Other setups include $random_forwarder's outgoing hosts.
There's no way I can assume email through these forwarders is
authentic, I can only assume the domain owner authorizes $random_forwarder
to send mail using the $foo domain name.
If you want authentication, you need to sign a message or address.
This is simply not true right now. You will be correct, in the
hopefully not too distant future. Right now you are not correct.
SPF fail can mean anything from "the sender wasn't authorized(!)
to use the domain name" to "the published goofed up, with or without
the knowledge of the domain owner"
As long as SPF is a relatively new technology and as long as people
are trying it out, we should discourage rejecting email. Flag it
all you want, just don't reject.
This kind of nihilism is the best means to kill off any standard right
away before it has a chance to take off. Incompetence cannot be an excuse
for lowering security standards.
Nobody asks to lower any security standard.
Now:
We are testing. Tests go wrong. Do not reject. Flag only and inform
the sender when appropriate. Rejection is strongly discouraged.
Soon:
We are done testing. SPF is an official protocol. Tests should
have been completed a long time ago. Use the record as you see
fit, including rejection should you choose to do so. Rejection is
optional but encouraged.
Where's the security implication on this?
If a domain owner publishes "-all", it is everyone's absolute right to
assume that this is what he meant. Otherwise, what "now we can begin
taking SPF records seriously" switch date would you suggest?
IF<<< a domain owner publishes. Yes.
I need not suggest a date to claim right now is not the time.
I can see that present time is too soon. I cannot look into
the future and see when most problems have gone.
When domain owners hear from their peers "Hey, your mail was flagged
as probably unauthorized use of your domain name", they may start
looking into SPF. OTOH if they get their mail bounced, without
knowing about SPF, the introduction to SPF is not a good one.
You are grossly overestimating people's ignorance. As long as bounce
You are grossly underestimating my experience with those people.
messages include a clear explanation of what went wrong, there won't be
any more resentments against SPF than the other way.
We are talking about people with no knowledge about protocols, standards,
proposed standards, SPF, SMTP, DNS or whatever. The only reaction they
are capable of is "you are blocking my email! Stop that!" and by "you"
they mean either SPF or pobox.
I estimate we communicate with a very small percentage of those
people. The rest are enemies of SPF for life, because "we" blocked
their email so SPF is bad and they can send to hotmail so microsoft
is good.
alex