spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean

2005-05-17 19:27:07
from [Alex van den Bogaerdt] [Permanent Link] 
On Tue, May 17, 2005 at 04:15:29PM -0400, Stuart D. Gathman wrote:


PASS is meaningless unless it is option b - so that is the only option
I can support.  A NEUTRAL result already gives you the equivalent of option a.
This is consistent with NONE, because having no SPF record means that you have
authorized the entire internet to send your mail.


No, not publishing a policy does NOT mean you have authorized the
entire internet to send mail in your name.  SPF is opt-in, not opt-out.

Compare with locks.  Not having a lock does not mean you allow anyone
to enter your office and take your stuff.  You take a huge risk but
you did not authorize them.


Primary results:
FAIL          - not authorized and definitely not authentic
NEUTRAL/NONE  - authorized, but not necessarily authentic
PASS          - authorized and authentic to the best of our ability


As I have proved above, this cannot hold.  Therefore there's
something wrong with the line of reasoning.  And there is; way
too much weight is put into this authentication statement.  If
you want strong authentication, USE strong authentication.


FAIL          - not authorized and definitely not authentic


definitely not authorized and probably not authentic
(this is almost the reverse of what you have!)


PASS          - authorized and authentic to the best of our ability


Authorized thus reasonably confident it is authentic.  Complain
to me if this host's keeper doesn't do its job, I will take action
and stake my reputation on it.  Occasionally sh*t will happen but
I will make every effort to correct the situation.


NEUTRAL       - authorized, but not necessarily authentic


Not authorized but also not forbidden.  I cant tell.  Do whatever
you need to do with this email.  I hope you will accept it but I
don't blame you if you don't trust me as I do not trust my provider.


        NONE  - authorized, but not necessarily authentic


{Huh? SPF? | SPF? Not yet! }


Relaxed result:
SOFTFAIL      - give us a break, mail configuration is hard


Give my peers a break.  I didn't authorize this host but my
{customers|coworkers|family members} may not yet be aware.
I wouldn't mind if you tell me, or them, about the problem.


And to continue on the authentication, what about:

"v=spf1 @example.com @example.org ?example.org -all"

I sign all messages sent from example.com, I may also do
this via example.org but not always.  I never send email
from other locations.  Should you receive a message via
example.org and should this message not be signed, don't
be sure it's me but don't assume it is a forgery either.

alex
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: People keep misunderstanding what "Pass" and "Neutral" mean, Scott Kitterman
Next by Date:  Re: What to do about redirect= and NXDOMAIN?, Frank Ellermann
Previous by Thread:  Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Stuart D. Gathman
Next by Thread:  Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Bill Taroli
Indexes:  [Date] [Thread] [Top] [All Lists]