On Tue, May 17, 2005 at 10:32:39AM -0400, Hector Santos wrote:
If someone wants to use "v=spf1 ?a:example.com -all", that's
fine with me. Should a user of example.com forge email, then
this user can be tracked much more easily than a random
user somewhere included in "-all".
This is a valid policy: Let me handle abuse at example.com and
do not trust the rest of the world.
I agree and disagree :-)
While I think this is "valid policy" it has to be time limited.
When you say "me" do you mean the domain holder or the server?
The domain holder publishes the policy. The domain holder has
sufficient trust in the server's manager to specify "?". Should
the server become unreliable, that is something the domain holder
has to evaluate.
(I say again: IMHO the question mark can be left out here; I am
defending an opinion that's not mine).
This is important because of a server is enduring continued example.com mail
with neutral/softfail results, then the burden of handling abuse at
example.com is now on the server, not you. You have essentially pass on
the responsibility to everyone else to "scratch" their heads about
example.com.
Huh? The server's name is "example.com", this tells nothing about
the email domain used. Abuse mail will go to the domain owner, NOT to
example.com
It is the domain owner that will need to contact example.com and get
them to punish the spoofer.
In such a case, the SPF server can be more tolerant. But do we really want
to go into this? I don't think so because a spammer can exploit this too.
"v=spf1 ?a:spammer-example.com -all"
and the server always send mail with the email domain: spammer-example.com
So?
The host with name "spammer-example.com" is emiting email with domain
"spammer-example.com" which is exactly what we want.
Maybe I don't get where you're going at. I think one of us has a bad day
and I sure hope it's you, (not too bad though) :)
Alex