spf-discuss
[Top] [All Lists]

Re: Request for Input on the meaning of "pass".

2005-06-02 19:11:22
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex van den Bogaerdt wrote:
It doesn't matter who send the message.  If it goes through an
authorized host, domainowner.example.ORG has to deal with abuse.

Exactly, and that's why...
| authorizing smtp.example.COM to send mail using domainowner.example.ORG
| as the sender address
...is perfectly equivalent to...
| asserting authenticity of the use of domainowner.example.ORG as the
| sender address in all mail coming from smtp.example.COM.   

Or, if you disagree, then what's the difference between the two?

Ergo it is, in _any_ case, not very useful to assert "Pass" for MTAs
who do not prevent cross-customer forgery, even if "Pass" just means
"you can send me the bounces".

I happen to know a host that I fully trust but which does not
prevent cross customer forgery.  If I want to say "+thathost"
then it's _my_ domain's reputation on stake.

Well, you can.  Even if "Pass" implies authenticity.  It may not be useful 
if the host is not guaranteed to prevent cross-customer forgery, but it's 
your choice.  I never said anything to the contrary. :-)

"Pass" really cannot mean anything other than a full "authentic" AKA
"you can hold my domain responsible".  q.e.d.

I deal with complaints, having send the message or not.

I thought SPF was supposed to prevent that.  Maybe SPF has become entirely 
pointless now.  I sure hope not.

Authentic != {accountable|responsible}.

If "authentic" does not mean "I know for sure who is responsible", then 
what does it mean?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCn7xKwL7PKlBZWjsRAjYOAKCZFEvNiwDjfL/KC82MeKnY3VwFAgCgxThe
idjrgF4dL5Cf+wY7mcY3lWk=
=AwyE
-----END PGP SIGNATURE-----