spf-discuss
[Top] [All Lists]

RE: Validator Testing Request

2005-08-10 05:32:02
-----Original Message-----
From: Daniel Taylor [mailto:dtaylor(_at_)vocalabs(_dot_)com]
Sent: Wednesday, August 10, 2005 8:26 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Validator Testing Request


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
On Tue, 9 Aug 2005, Daniel Taylor wrote:


I would say that this is the #1 reason for us to discourage the use of
?all records. People being people, the receivers will adapt to the
perceived reality of what the modifiers mean rather that the "book"
version of what they are supposed to mean.

With AOL and other frequently forged domains publishing ?all rather than
~all or -all the real meaning of '?' goes from neutral to forged
in a hurry.


That's why a decent SPF checker will apply a NEUTRAL == FAIL policy
(or other adaptive policies) only to selected domains (e.g. AOL).

If it is important to send mail to defective SPF checkers, your best
bet is to get a PASS via SMTP AUTH/VPN/whatever - not to allow mass
forgery of your domain.

You are absolutely correct. But I firmly expect there to be a
significant number of off-spec SPF checkers out there, and much
as I love SMTP AUTH there will be domains for which it simply
isn't an immediate solution.

SPF Pass works very nicely for organizations that run a dedicated mail
server.  For those who use shared servers that are vulnerable to cross-user
forgery (that would be basically all of them except some webmail servers),
Pass, even if all mail is sent from the main server could be problematic.

Scott K