From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
People keep misunderstanding what "Pass" and "Neutral" mean:
...
Now, in practice, many policy publishers apply "?" to their shared MTAs
because they don't trust them to prevent cross-user forgery. That doesn't
accurately describe what they mean, but it usually does what they want.
Well, SPF will forever have problems (a thorn on its side) if relaxed
provisions are not removed, addressed or atleast made time limited.
Think about it. It will only be a matter of time when a relaxed domains
will be highly targeted by spoofers and/or spammers will use relaxed
domains.
For SPF to be successful, it has to be a strong policy and as more and more
systems use it, spammers will look for the loopholes.
Of course, the forwarding problem is still an issue, but I don't think
allowing relaxed provisions as a way to solve/reduced the forwarding problem
from an administrative/setup standpoint is good.
I think the forwarding problem will be solved eventually. Either SRS,
SUBMITTER or some combined HELO concept or some other method.
Many networks will take a better look at their networks and take the proper
actions to remove the forwarding problem in order to get the benefits of SPF
if it had a stronger policy against it. But as long as the relaxed
provisions remained, it will forever be a loophole into the system. I have
no doubt about that.
The compromise, as I stated many times, is a "Expiration Concept" for
relaxed provisions. This puts responsibility into the hands of the
Administrator that when they begin to consider SPF, they need to couple the
effort with better analysis and possibly reorganizations and/or ISP policies
to secure the network. They can't just add a relaxed policy and leave it
as forever because now it opens a loophole into the system and puts the
burden (and overhead) on the servers. It is a waste of time.
For me, it is either a NONE, PASS or a FAIL and under a "Time Limited"
concept, a relaxed result.
I believe what will happen is that SMTP developers will add it themselves
eventually one way or another. In fact, this is what we have in our SPF
configuration for our sysops:
; SPF can return low trust results. A pass means the sender has
; a valid SPF record and is accepted. Softfail and Neutral means
; no match is found but rejection is not automatic. Setting a
; true accept can provide a loop for potential spoofers who have
; SPF records and think they will be allow them in. The options
; below allow you to control this.
Accept-SPF-Pass True ; if false, continue testing
Accept-SPF-SoftFail False ; if false, continue testing
Accept-SPF-Neutral False ; if false, continue testing
----
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)