In <061701c567dc$ab18ea50$0600000a(_at_)john> "Chris Haynes"
<chris(_at_)harvington(_dot_)org(_dot_)uk> writes:
You seem to be suggesting above that Neutral is an alias for None.
Actually, I am more than just suggesting, I think Neutral MUST BE an
alias for None.
Consider the following scenario:
1) There is a 'vanity' domain. All its mail is sent via the MX servers
of its MSP 'example.com'.
2) The MSP's MX servers do not prevent cross-customer forgery.
3) Anything from anywhere else on the internet was certainly not
authorised by the vanity domain..
What policy _would_ you recommend in the above scenario?
SPF allows for a wide variety of different Sender Policies to be
specified. It doesn't do a perfect job for all of them. In
hindsight, maybe we should have added HardPass and SoftPass results.
It is too late now for SPFv1 though.
So, to answer your question, I would evaluate how good a job
example.com does at controlling abuse, and I would evaluate what the
risks are if abusive email gets sent through example.com.
For a simple vanity domain and with a reasonably whitehat MSP, I would
publish:
v=spf1 mx:example.com -all
If abuse was found to have originated from example.com, I would
complain to them.
For a bank, I would publish:
v=spf1 ?mx:example.com -all
I would probably also look for more trustworthy places to send email
from.
-wayne