On Wed, 18 May 2005, Chris Haynes wrote:
It's not the vocabulary that's wrong, its the logic.
SPF is billed as "anti-forgery". A PASS had better translate
to "not forged" for some meaning of "forged". And FAIL had
better translate to "forged" for the same meaning. NEUTRAL
is defined in the spec to be the same status as NONE - meaning
that that particular IP has not yet been classified into PASS or FAIL
(for whatever reason). It might be treated slightly differently from
NONE by the receiver since the domain has at least started the process of
classifying IPs (assuming the record is not "v=spf1 ?all").
Logically, SPF lets domain owners classify IP addresses into
PASS and FAIL. Since the task of securely classifying all potential
source IPs for email might be too large to finish all at one
go, there is the provision of NEUTRAL meaning "not yet classified". SPF
defaults to "nothing is classified" (NONE).
What I think we are trying to make with PASS is two logically-different
declarations:
1) That the IP is authorised by the domain owner to send messages on its
behalf,
That is what NEUTRAL is for, although I'd say "use of the IP to send
messages for the domain has not been explicitly prohibited". The way
you word it, it sound like you are asking for a SOFTPASS (the IP has
our permission to send from our domain, but we don't fully trust it).
SOFTPASS might be useful for outsourced mass mailers. I would probably
end up treating it the same as SOFTFAIL for that reason.
The point of NEUTRAL is that the domain has not yet done anything about
the IP - it is still the same status as NONE, as it was before they began the
task of classifying IPs via SPF. That is why the spec says NEUTRAL == NONE.
2) That the IP is trusted by the domain owner _not_ to send messages
purporting to be from the domain that were not, in fact sent by that domain
That is what PASS is for. You are right, they are logically distinct.
Using similar language, NEUTRAL means : the domain does send authorised
messages via this IP, but it is possible that the IP can also send messages
claiming to be from the domain but which were not actually authorised. The
recipient cannot therefore make any firm decision on the authenticity of any
specific message on the basis of this test alone.
It means the domain owner hasn't dealt with it properly yet. Eventually,
they'll get around to installing SMTP AUTH, changing ISPs, or whatever it
takes to secure their email.
SOFTFAIL (to me) says: The domain does not intend to send mail via this IP,
so anything claiming to be from the domain is probably unauthorised, but
please inform the domain owner about all such attempts, in case the domain
has made an error in configuring its mail system.
I'd agree with that.
FAIL says: Anything coming from this IP which claims to be from our domain is
certainly unauthorised.
I'd agree with that.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.