On Thu, 7 Apr 2005, Hallam-Baker, Phillip wrote:
All you can do here is to put in SHOULD NOT and even that is going to be
ignored. The whole point of a spam filter is that you are flouting the
SMTP spec by throwing the email into the bit bucket. Nothing that is
done can ever be more than a suggestion to the recipient.
o We are not talking about a spam filter. SPF does not address spam.
o No proper SPF checking implementation will ever throw any email into the bit
bucket. The worst that can happen is to REJECT an email at SMTP time,
which does *not* throw the mail into a bit bucket unless the sending
system is broken. Post-SMTP SPF checkers are not proper implementations.
But even then, reasonable ones like SpamAssasin don't throw email into the
bit-bucket.
o The fact that the recipient can do what they want is irrelevant. OF
COURSE people can ignore standards. Shoot, SPF might not even be
needed if people didn't insist on ignoring HELO requirements.
o The purpose of the SPF classic standard is to tell recipients what
they MUST or MUST NOT do to get the SPF result intended by an SPF sender.
To get an SPF result, they MUST NOT use the PRA indentity with
v=spf1 (or any identity other than HELO or MAIL FROM). If they do, the
result won't be an SPF result. It *might* be a SenderID result, if the
publisher was looking at the SenderID standard when publishing - but that is
not the concern of the spf-classic draft.
In conclusion, I agree that we can't tell people that they can't
use v=spf1 for SenderID or some other creative/stupid purpose. However,
we CAN and SHOULD make it clear what they must do to get the intended SPF
result. And clearly, you MUST use only MAIL FROM or HELO to get
an SPF result.
BTW, SenderID resuse of v=spf1 for PRA wouldn't be so bad if they treated
it as a fallback heuristic: any result other than PASS should be treated
as NEUTRAL. Doing so when no spf2.0 record is present is no worse, and
slightly better than the "v=spf1 a/24 mx/24 ptr" default that many SPF
checkers use.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.