|-----Original Message-----
|From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-|discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of wayne
|Sent: May 25, 2005 12:38 PM
|To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
|Subject: Re: [spf-discuss] Sep 22 - Jan 03
|
|Yes, each identity serves a different purpose, but both
|identities use the same DNS system. Similarly, I don't
|think it is out of line for both identities to use the same
|policy language (SPF).
Within the limited context put forward by Carl Hutzler of AOL
earlier today on ietf-mxcomp, when he wrote in part:
|-----Original Message-----
|From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-|mxcomp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Carl
Hutzler
|Sent: May 25, 2005 9:24 PM
|Cc: MARID
|Subject: Re: "If you believe that the SPF concept is
|fundamentally flawed, please subscribe at
|http://www.imc.org/ietf-mxcomp/";
|
|Is this use of SPF flawed?
|
|helo domain.com
|mail from: someone(_at_)domain(_dot_)com
|
|Look up domain.com SPF record
|
|If the [connecting IP] = [SPF record] then "trust it
|more/whitelist" else do nothing end
Then I may be prepared to say yes, subject to review with
AOL of their real world results and whether:
* This runs any risk of breaking email, given all the edge
cases; and,
* It is scalable, so that it works with fixed sources from
the SOHO list owner sending an e-zine from a shared server
to COI list all the way up to and including the largest
corporate entity sending huge volumes of bulk mail on a
daily basis; and
* This is the most efficient usage of resources.
But, otherwise, no.
<snip>
|I think there is a trade-off between having different
|mechanisms that are tuned to each job, and having to learn
|only one technique that can be used several places, but is
|not optimal.
|
|It is kind of like which is the best to have: boxed-end
|wrenches, open-end wrenches, cresent wrenches or a socket
|set with extenders?
|
|Well, I think it depends on the situation. The flexibility
|of SPF to do both HELO and MAIL FROM checking is nice, and
|in my very humble opinion ;-) we don't need something as
|specialized as both SPF and CSV.
Like I said, if you intend to use v=spf1 records for the
limited purpose as suggested by Carl Hutzler, subject to my
noted caveats, fine.
But, if you want to use v=spf1 for anything else, given all
the edge cases in the real world, then it is better to have
a specialized usage for each identity.
This is why I say, it is best to be conservative and
recommend against rejection based on v=spf1 until all the
edge cases are resolved. Otherwise, apart from the
significant risk of false positives, the receiving network
may create unsolicited backscatter in bulk and find its own
servers being black listed.
But again, consult with the folks at AOL on what they have
found works best using v=spf1 records. To my understanding
AOL has done extensive testing. I would then proceed to
document that and recommend it.
As to the rest, I would put that down as experimental
pending resolution of the edge cases. This in my view is
prudent and ensures that people don't break stuff, while
internet access services go through the needed changes to
secure their networks.
Once these changes have occurred then folks can review
whether:
* It makes sense for people to proceed further with SPF; or
* depending on where the community is with light weight
cryptographic methods of message authentication, simply
leave things as is and have the conservative case based on
AOL's approach turned into a standard.
<snip>
As an aside, if people really want to move ahead on a
standards track document with the IETF, document what you
have as experimental and leave it.
Then subject to review of all the caveats with AOL, come up
with a protocol for white listing of fixed source bulk mail
senders and put that forward for consideration.
As to everyone else who responded, I appreciate the various
comments. True, sender's publish the record, but it is the
large consumer networks that need to make it work.
If the folks handling mail for one of the largest consumer
networks in the world, that has implemented SMTP
authentication for years and are strong advocates of
network security are politely saying:
"It (being v=spf1) is okay for white listing fixed source
bulk mail senders, but not for anything else,"
Then people need to take care and listen.
John
John Glube
Toronto, Canada