spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MUST SPF checking be done during SMTP time?

2005-05-14 06:16:14
from [Chuck Mead] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julian Mehnle wrote:

Wayne Schlitt wrote:


I did not apply this one.  As discussed on #spf, Chuck feels very
strongly about requiring SPF being done during the SMTP transaction
and not during later processing, such as SpamAssassin and other
filters are doing.



On the one hand, Chuck is correct in that this is the "right thing" to do, 
because during the SMTP transaction, the required identities are 
_reliably_ known, and "Received-SPF" headers can be generated for 
applications that need to "check" SPF at a later time.

On the other hand, there is little reason why checking SPF at a later time 
is _inherently_ worse.  Systems don't necessarily have to use unreliable 
identities after SMTP time.  Systems don't necessarily have to generate 
bounces after SMTP time.  As long as you are guaranteed to work on 
reliable identities, you can be SPF compliant.  (Also, whether bounces are 
generated is outside the scope of SPF, even though it is unsocial 
behavior.  Recommend against it if you wish, but not in RFC 2119 terms.)

I think we should go the latter route, but it is not a strong preference.


We keep talking about this as though there is nothing wrong with
bouncing and as though we're concerned about implementation like
spamassassin. I have nothing against spamassassin but it is *NOT*
directly concerned with what we're trying to accomplish with our
protocol description.

In my opinion we are continually worrying about things that have
*NOTHING* to do with MTA <----> MTA communication. I had thought (still
do actually) that that was, is, and should be our principle focus. If it
is... then doing SPF checks during the SMTP transaction is the only
right way to do it and we should/MUST write the spec so that this is
clear to all!

- -------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


- --
csm(_at_)moongroup(_dot_)com, head geek
http://moongroup.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFChfoev6Gjsf2pQ0oRAkkOAJ9kWj/w9dnPO3weMyxMLqWLv9obBACfbC9C
7IQfsQpapxb1uL3KH/Mlu1s=
=stXM
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New SPFv1 spec: draft-schlitt-spf-classic-01pre6, william(at)elan.net
Next by Date:  Re: MUST SPF checking be done during SMTP time? (was: patch), Chris Haynes
Previous by Thread:  MUST SPF checking be done during SMTP time? (was: patch), Julian Mehnle
Next by Thread:  RE: MUST SPF checking be done during SMTP time?, Mark
Indexes:  [Date] [Thread] [Top] [All Lists]