spf-discuss
[Top] [All Lists]

Re: Request for Input on the meaning of "pass".

2005-06-02 11:26:42


Mark Shewmaker wrote:
On Thu, Jun 02, 2005 at 01:33:54PM -0400, Terry Fielder wrote:

For me (but not for vanity domains) it also asserts that the email is authentic (because I trust my MTA's). But it certainly does not for my personal vanity domain and other users of outsourced MTA's.


I would suggest changing your spf records such that your mailfroms
sent from those outsourced machines that you don't fully trust
return neutral instead of pass for now.

You are correct. And in fact the domains from "my job" and my "personal" are all trusted MTA's. But I also administer some vanity domains for friends and relatives, and some outbound through their ISP's MTA, and yes, those are neutral (or in fact not published where the DNS provider does not offer TXT support yet).


Please don't let the fact that few ESPs other than pobox offer
cross-user forgery protections.

I am concerned because the ISP sees no real benefit from preventing cross customer forgery (financial or publicity).


I see no use as a receiver in seeing a response of pass that doesn't
imply full confidence.

I agree. Further it incites the possibilty of inaccurate info populating reputation lists some day.



Therefore my vote is #2: "authorized"


IMHO if the spec is written to have the #2 meaning, then the meaning of
PASS will become less useful as more ESPs get a clue and advertise
prevention of cross-customer forgery as a feature.

But if the spec is written to have the #1 meaning, not only can PASS be
safely used now in a number of cases, (especially for places like ebay
where it's more important), its meaning will still be useful when
prevention of cross-user forgery is as common as prevention of open
relaying is now.

(As an amusing side note, technically only the sending MTA can really
assign meaning to mailfrom.  Example.com could have 
user(_at_)example(_dot_)com's
first mailfrom be a001(_at_)example(_dot_)com, the second one 
a002(_at_)example(_dot_)com,
etc.  It just happens that today mailfroms mostly sort of resemble the
submitter's email address, but that's not necessarily always going to be
case.
It's also not always currently the case, some ISP's (e.g. sympatico) have tried tricks like that in the past to prevent users email addresses from getting into spam lists. It didn't work, of course.


So, considering all the past discussion on this issue, (such as
the previous discussion of softpass), I think it's sort of funny that
technically the most we can really ever proceed with confidence with is
an identity that is technically inherently opaque to begin with.  :-) )

As another side note--wasn't this decided a year ago during the pass vs.
softpass vs. hardpass debates that pass would be a strict pass?


I sure hope we can get #1 "authentic" instead of #2 "authorized". But it requires cross customer forgery FIRST in my opinion.

Perhaps I should change my vote from #2 too  "neutral"   :)

--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085