Mark Shewmaker wrote:
I would like to bring up two things:
Thanks for bringing it up, although the thread unfortunately seems to have
degenerated into a text war.
1. The default overall result isn't defined for all cases in which the
mailfrom and helo results don't match.
I'm not quite sure what the right answer should be here, [...]
#INCLUDE <200505100209(_dot_)44743(_dot_)bulk(_at_)mehnle(_dot_)net>[1]
I agree that the point of SPFv1 is to determine whether a message uses
legitimate envelope identities. Thus it is of course beneficial to gather
as much relevant information as possible on the authenticity of a message.
That's why we recommend doing both HELO and MAIL FROM checks.
HOWEVER...
My initial thoughts were that the standard should say to use the "worse"
of the two answers, with the worst-to-best list being (PermError,
TempError, SoftFail, None, Neutral, Fail, Pass).
| 9.3 Forwarding Services and Aliases
| [...]
| 3. The end, when e-mail is received.
| [...]
| * Tests against other identities, such as the "HELO" identity,
| may be used to override a failed test against the "MAIL FROM"
| identity.
...the relationship between the results of the HELO and MAIL FROM checks
depends strongly on how the receiver treats the various result codes. It
is also very difficult to objectively define an order of quality (or
certainty) for the various results.
I can follow your "widget" example, and based on all this, I strongly tend
to not defining an "overall result" and leave it to receiver policy how to
treat the individual results of the HELO and MAIL FROM checks.
This is NOT something that needs to be defined globally in order to enable
domain owners to publish policies that are understood the same way by
everyone. We define the HELO and MAIL FROM identities, and we define the
exact meaning of the various result codes with regard to the identity
being checked. That is sufficient.
Thus I propose the following change:
--- draft-schlitt-spf-classic-01pre5.xml
+++ draft-schlitt-spf-classic-01pre5+mehnle_no_overall_result.xml
@@ -192,10 +192,8 @@
<t>
It is RECOMMENDED that SPF clients check not only the "MAIL
- FROM" identity, but also the "HELO" identity by applying the
- check_host() function (<xref target="function"/>) to the
- "HELO" identity as the <sender>. If the HELO test is
- performed, and results in a "Fail", the overall result for
- the SMTP session is "Fail", and there is no need to test the
- "MAIL FROM" identity.
+ FROM" identity, but also separately check the "HELO" identity
+ by applying the check_host() function (<xref
+ target="function"/>) to the "HELO" identity as the
+ <sender>.
</t>
</section>
@@ -220,8 +218,8 @@
</t>
<t>
- SPF clients MUST check the "MAIL FROM" identity unless HELO
- testing produced a "Fail". SPF clients check the "MAIL
- FROM" identity by applying the check_host() function to the
- "MAIL FROM" identity as the <sender>.
+ SPF clients MUST check the "MAIL FROM" identity. SPF
+ clients check the "MAIL FROM" identity by applying the
+ check_host() function to the "MAIL FROM" identity as the
+ <sender>.
</t>
</section>
Yay, it even makes the spec shorter!
I'm not quite sure what the right answer should be here, but leaving
it undefined just doesn't seem right.
Why?
References:
1.
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200505/0258.html