-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guy wrote:
I have never liked NEUTRAL. It is like NONE. So, no point.
I would like to see something between PASS and NEUTRAL, maybe NORMAL, or
EXPECTED. This would be used for a shared MTA like I must use since my
IP address is dynamic and on some blacklists as such. It is NORMAL for
mail to come from me via my ISP's MTA. But I should not use PASS since
it can be forged, and I can't promise I really sent it.
People keep misunderstanding what "Pass" and "Neutral" mean:
| 2.5.3. Pass
|
| A "Pass" result means that the client is authorized to inject mail
| with the given identity. [...]
| 2.5.2. Neutral
|
| The domain owner has explicitly stated that they don't know whether
| the IP address is authorized or not. [...]
"Pass" does not (or should not) mean that the identity is guaranteed not to
be forged, it just means that the sending host has been authorized by the
domain owner to use this identity.
- From a theoretical point of view, mail from shared MTAs should get "Pass",
too, like mail from secure sources. SPF cannot take on the task of
securing shared MTAs -- the operators of those have to take care of that
by themselves. Also from a theoretical point of view, "Neutral" ("?") is
mostly pointless because it doesn't make sense to say "I don't know
whether that IP address is authorized" -- the publisher by definition
should know which hosts he wants to authorize. It is _his_ decision.
Now, in practice, many policy publishers apply "?" to their shared MTAs
because they don't trust them to prevent cross-user forgery. That doesn't
accurately describe what they mean, but it usually does what they want.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCieA/wL7PKlBZWjsRAjzmAJ9Us9Opm3LsehRYGQENmBLMvbIOhACguTLh
oJYQsu9dvo8D19yJivbL/Xk=
=EKQV
-----END PGP SIGNATURE-----