On Monday, June 20, 2005 12:06 AM "Alex van den Bogaerdt" suggested
On Sun, Jun 19, 2005 at 03:59:17PM -0700, william(at)elan.net wrote:
>>| and the vast majority of published SPF records are v1. Nonetheless,
>>| Hotmail says that they will only check v2 records, and if a domain has
>>| no record, they'll treat that as a Sender-ID failure and display the
>>| yellow warning box.
>
>Classic MicroSoft behaviour is it not.
No, that the thing - it is not. Having them only use their own spf2.0/pra
records is what we've been asking them - and they've been most resistant
to accept.
So that's yet another thing where they've earned the benefit of doubt.
I seem to recall something similar happening to AOL, eons ago.
On the other hand: if MS checks against v=spf1 records and this results
in a PASS, they could display "verified". I see no objection to that,
is there? This would be handy for the many cases where RFC822_from
equals RFC821_from.
My objection is this...
When people publish SPF1 records authorising an IP to introduce mail with a 2821
Mail From, that's all they are authorising that entity to do.
Using this record to decide about a 2822 PRA (e.g. From:) test is effectively
treating the 'authority to inject mail' as an 'authority to originate mail'.
That's what, to me, constitutes 'abuse' in M$'s proposed use of SPF1 records:
without the record-owner's permission or knowledge it 'upgrades' the authority
delegated to the sending IP system.
If a bank, for example, uses a third party to inject their mail and handle DSNs
(and sets up an SPF1 record authorising this) , the M$ perversion (of testing
PRA against an SPF1 record) falsely declares that the receiver can assume that
the bank also gave permission for that third party to author its own message
content claiming to be 'From:' that bank.
Chris Haynes