spf-discuss
[Top] [All Lists]

Re: Request for Input on the meaning of "pass".

2005-06-02 18:23:30
On Fri, Jun 03, 2005 at 02:35:38AM +0200, Julian Mehnle wrote:

SPF authorizes IP addresses.  Of course this does not mean that SPF 
authenticates IP addresses.  SPF is supposed to authenticate _domains_.

That's where we disagree.  SPF _authorizes_ hosts to use domains.

You don't use SPF to look if "example.org" really is a domain. You
use SPF to see if "mail.example.com" may send mail from example.org

We aren't verifying example.org (use DNS and/or reputation databases
for that), we aren't verifying mail.example.com (lookup ip->ptr->ip),
we are verifying mail.example.com's authorization to say
"MAIL FROM example.org".  In other words:

SPF is not: is this example.org
SPF is not: is this mail.example.com
SPF is:     is mail.example.com allowed to say ...

Just because the concepts of authorization and authentication are not 
identical and SPF includes the concept of authorization, that does not 
mean that SPF cannot also include the concept of authentication.

Nor does it mean it can.  This proves nothing.

Note that nowhere authentication occurs yet reputation works!

I always thought that authenticity was all about being able to take 
something for what it appears to be.

Indeed it does.  The host appears to be "mail.example.com", but is it
authorized to say "mail from: user(_at_)example(_dot_)org" ?  It certainly
doesn't appear to be "example.org", does it?

We really do need authentication.  We are using the TCP/IP protocol
for that, more specifically the three-way handshake.

mail.example.com has IP address 10.11.12.13 and we are reasonably
sure this is true (thanks to the handshake).  The host is authenticated.

Now we can verify that it is authorized to send mail on behalf of
a domain (be it it's own domain or someone else's).

You can't apply reputation without being sure that the identity at hand can 
be considered authentic.

Oh?  Why not?

example.org TXT "v=spf1 mail.example.com -all"

All spam/virus/other from any(_at_)example(_dot_)org sent by mail.example.com
will damage example.org's reputation.  All junk from other hosts will not.

Does it matter if it was or was not example.org submitting that message?
No.  example.org trusts mail.example.com and if this trust is misplaced,
example.org does something wrong and earns the bad reputation if it
continues to use mail.example.com.  Reputation is not damaged if a
single bad message is sent.  Shit happens.  Reputation is damaged if
large quantities of bad mail are sent and/or this abuse lasts long.

Then:

Either example.org has a good reputation and you do accept messages
sent through mail.example.com, or example.org has a bad reputation and
you reject.  There's no need for you to know if it really was example.org
that sent the message.  You only want to know if you want to receive it.

If example.org has a bad reputation, who cares about SPF at all?  You
wouldn't need to apply SPF as you won't accept the message anyway.

Alex


<Prev in Thread] Current Thread [Next in Thread>