spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PermError and NXDOMAIN in spf-01

2005-05-21 19:21:57
from [wayne] [Permanent Link] 
In <428EB7AA(_dot_)355(_at_)xyzzy(_dot_)claranet(_dot_)de> Frank Ellermann 
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> writes:


wayne wrote:


Given that all specs say PermError MUST be treated as None


That's not the case, the last SPF spec. published today says
(incorrectly) "like SOFTFAIL" = 4xx, and the previous spec.s
back to schlitt-00 / lentczner-00 had a "SHOULD reject" (5xx).


Personally, I don't consider lentczner-00 an "SPF-classic" spec.  It
wasn't long after it was submitted to the IETF when the SPF council
was formed and there was a vote to adopt schlitt-00.  I have been
working to restore mengwong-spf-0[01] semantics ever since.  As far as
schlitt-00 having it, I consider it a bug in the spec.


I am getting really nervous about some of the stuff with NXDOMAIN and
PermError.

I can completely understand a Receiver Policy that rejects email when
the MAIL FROM is NXDOMAIN.  Rejecting email on the HELO domain being
invalid doesn't seem as wise to me.


However, it looks like what people are trying to do is have NXDOMAIN
be a PermError and PermError causing the rejection.  This is really
bad since it makes a Receiver Policy into a claimed Sender Policy.
Unfortunately, PermError is caused by a lot of other things besides
just NXDOMAIN.  You make one screwup on your SPF record, and *poof*,
you get lots of email rejected.

We need to try to make SPF failsafe.  If you screw up on your Sender
Policy, then you should end up like you don't have a Sender Policy.  


I think that treating NXDOMAIN as None is the most logical thing.  If
i-hate-spf.com doesn't want anything to do with SPF, then an SPF check
against nxdomain.i-hate-spf.com should return None, not PermError.
There isn't a permanent error in their Sender Policy, they don't
*have* a Sender Policy.

Even if you think that treating PermError as if it was None isn't the
right thing to do, I don't think we should make that change for
SPFv1.  That is something we would need to change in SPFv2.


In order to prevent people from trying to use SPF to implement their
Receiver Policy of rejecting on NXDOMAIN, I strongly believe that we
MUST have the result of NXDOMAIN be none.

In order to maintain backwards compatibility, PermError MUST be treated
as None, or at very worst, some sort of feedback request like what is
in SoftFail.


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: What to do about redirect= and NXDOMAIN?, Alex van den Bogaerdt
Next by Date:  Re: Re: People keep misunderstanding what "Pass" and "Neutral" mean, wayne
Previous by Thread:  Re: PermError in spf-01, Frank Ellermann
Next by Thread:  Re: PermError and NXDOMAIN in spf-01, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]