spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: For SPF council review: Syntax error = Perm error = Message should be rejected?

2005-05-04 11:58:18
from [Stuart D. Gathman] [Permanent Link] 
On Wed, 4 May 2005, Scott Kitterman wrote:


Perhaps rather than equate PermError with None, we should equate it with
SoftFail (accept (eventually), but perhaps be extra suspicious).


The RFC shouldn't "equate" PermError with anything.  It is one of the
possible results of evaluating an SPF policy, just like PASS, FAIL,
or NEUTRAL.  Ultimately, it is up to the receivers policy what to
do with *any* SPF result.  The RFC should make clear the senders
policy for a given email.

e.g.:

PASS    "sent via authorized means"
FAIL    "not sent via any authorized means"
SOFTFAIL"not sent via any authorized means . . . we think"
NEUTRAL "we don't know"
NONE    "What's SPF?"
PermError       "Our policy is screwed up."
TempError       "Ask us again in a few hours"

(not that any of the above are appropriate RFC language :-)

The RFC should outline general guidelines for receiver policy, but
they should all use words like MAY and SHOULD.  No one should be
forced to accept or reject email.

In any case, there should be a clear distinction between an SPF *result*
(which had better be completely objective and deterministic) and
the receivers *response* to that result (which can vary with mood,
political persuation, random number generator, etc). [*]

What would *really* be helpful for policy implementors (as opposed
to SPF evaluator implementors) are some sample receiver policies for several
scenarios:

1) Big ISP with millions of email users

2) Small business with dozens of email users

3) Ecommerce web site with dozens of public role based email addresses,
   and hundreds of private mailboxes.

For example, the big ISP might need per-user policies.

[*]  Seriously, I've considered randomly deciding whether to
accept or reject suspicious emails with 4xx.  It means:

a) I don't have to keep track of whether I've seen a particular email before.
b) Legit emails that keep trying will eventually get through.
c) Spam emails that aren't queued won't keep trying.
d) I can tune what percentage get through with a simple parameter.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: How useful are per-user policies?, Radu Hociung
Next by Date:  Re: Re: How useful are per-user policies?, Stuart D. Gathman
Previous by Thread:  RE: For SPF council review: Syntax error = Perm error = Message should be rejected?, Scott Kitterman
Next by Thread:  Re: For SPF council review: Syntax error = Perm error = Message should be rejected?, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]