spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [OT]Calling Hector Santos

2005-08-25 10:12:53
from [Scott Kitterman] [Permanent Link] 
Hector Santos wrote:
----- Original Message ----- From: "Scott Kitterman" <spf2(_at_)kitterman(_dot_)com> 


Hector Santos wrote:



Then how are you expecting this to be read?

  NEUTRAL --> default neutral, no match, continue
  NEUTRAL --> default neutral, no match, continue
  FAIL    --> FAIL? Or use previous default?

The above doesn't match sense. No?
No, I expect it to match the Neutral mechanism and return a Neutral result. 


I was not referring to your record, but now in general.

For logic like above, if it does not match, it will fail.

Is that the policy?

I guess, I would like to understand the reasoning behind returning what seems to be a 
"hard neutral."

You are basically declaring:

     "I am sending mail from a machine that you
      you probably shouldn't trust!"

Whats the point then?

I guess I'm having a hard time grasping this form of a "Administrative Policy" - a policy saying 
you are who you are, you are sending mail from the machine you expose to the world, but you say at the same 
time, "don't trust me. I might be a liar."  :-)   It is like a cop pulling you over, coming to your 
car, and he sees you looking at his badge and tells you, "Don't worry about it, this badge is probably 
fake anyway."

My point is that SPF wins when people send from machines that RECEIVERS can trust.  I see 
no point sending from a machine where the policy is to declare it is not 
"trustworthy."  If that is the case, then don't send from it.  Send it from a 
machine where there is trust.

Anyway, thanks.
For users of shared servers, such a machine is basically non-existent today. The point of the Neutral record is to say yes, this IS an MTA that is authorized to send mail from my domain, but I can't guarantee that because the messages is an authorized communication from my domain.
The point of my SPF record today is primarily to tell you which MTAs might legitimately send mail from my domain so that if you get mail from none of those places you can safely conclude it is forged.
Rather than declaring that you probably shouldn't trust the machine, I'm saying that I can't guarantee messages from the machine. Now, in the case of that MTA, it's a reasonably safe bet. Pair is a reputable company that doesn't tolerate spam from it's network, but because there's nothing technically preventing their other customers from forging me, it is, I believe, prudent to give a Neutral result. 

http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#cross-user-forgery
Unfortunately, SPF gives me nothing between I don't know (Neutral) and yes it's authorized (Pass). I argued, and lost, for an intermediate result called Softpass that would have fit this situation better. 

SPF has to work for people that don't run their own mail server too.

Scott K
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [OT]Calling Hector Santos, Hector Santos
Next by Date:  Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02, Harald Tveit Alvestrand
Previous by Thread:  Re: [OT]Calling Hector Santos, Hector Santos
Next by Thread:  Re: [OT]Calling Hector Santos, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]