spf-discuss
[Top] [All Lists]

Re: [OT]Calling Hector Santos

2005-08-25 10:22:54
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hector Santos wrote:
----- Original Message ----- 
From: "Scott Kitterman" <spf2(_at_)kitterman(_dot_)com>

Hector Santos wrote:


Then how are you expecting this to be read?

  NEUTRAL --> default neutral, no match, continue
  NEUTRAL --> default neutral, no match, continue
  FAIL    --> FAIL? Or use previous default?

The above doesn't match sense. No?


No, I expect it to match the Neutral mechanism and 
return a Neutral result.  


I was not referring to your record, but now in general.

For logic like above, if it does not match, it will fail.

Is that the policy?

That is what it says in the spec.

I guess, I would like to understand the reasoning behind returning what seems 
to be a "hard neutral."

You are basically declaring:

     "I am sending mail from a machine that you
      you probably shouldn't trust!"

Whats the point then?

It allows him to use his domain from locations that aren't perfectly
secure, yet still assert that most of the potential sources of e-mail
in the world aren't permitted to send e-mail that claims to be from his
domain.

I guess I'm having a hard time grasping this form of a "Administrative 
Policy" - a policy saying you are who you are, you are sending mail from the 
machine you expose to the world, but you say at the same time, "don't trust 
me. I might be a liar."  :-)   It is like a cop pulling you over, coming to 
your car, and he sees you looking at his badge and tells you, "Don't worry 
about it, this badge is probably fake anyway."

Hardly. Neutral is for "this is probably from me". "?all" is
only a valid thing to say if you have absolutely no control
over your domain, because that is exactly what it says.

"?include:example.net" is a good way to deal with situations
where you do not have adequate control over the outgoing servers
you use.

My point is that SPF wins when people send from machines that RECEIVERS can 
trust.  I see no point sending from a machine where the policy is to declare 
it is not "trustworthy."  If that is the case, then don't send from it.  Send 
it from a machine where there is trust.

Of course. The optimum, and desired, outcome is for
all records to only include + and - mechanisms and for
receivers to accept on + for non-blacklisted domains, and
reject on - for all domains.

Welcome to the real world, we ain't even close yet.
We've barely even started.

- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDf5t8/QSptFdBtURAuIGAJ0Rwpi/KyKgIubDTLA9l/sUAXgGHQCbBO+y
+784+aCQkECGGMEyb3uYhCk=
=MBXZ
-----END PGP SIGNATURE-----