spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] INCLUDE Statement

2005-08-27 03:30:25
from [Frank Ellermann] [Permanent Link] 
Hector Santos wrote:


   If one claims to FAIL a IP, then why should one quality it
   as a NEUTRAL? (lower the bar of the result).


You're talking about a FAIL within include.  Here's an eample:

isp.example "v=spf1 what=ever -all"
example.com "v=spf1 reve=tahw -all"

Independent unrelated organizations, for what=ever insert
something that make sense, ip4:1.2.3.4/24 or "what ever",
dito for reve=tahw (insert something different of course).

So far these are "good" policies, we both like it, either
PASS or FAIL is the best case from the POV of a receiver.

Now let's assume that I'm the owner of any.example and my
mail providers are isp.example and example.com.  I trust
that the latter is a good MSA, but I'm less impressed by
isp.example, they allow "cross user forgery", shared MSA.

Nevertheless I send most mails via isp.eample (cheaper or
a similar reason).  Therefore my sender policy might be:

any.example "v=spf1 ?include:isp.example
                    +include:example.com -all"

Most mails sent via isp.example => PASS in first include
=> match => final result ?include:isp (NEUTRAL) => ready.

Rare mail sent via example.com => FAIL in first include
=> no match, continue => PASS in second include => match
=> final result +include:example (PASS) = > ready

Spam sent from another IP => both includes don't match =>
continue left-to-right, hit -all at end => FAIL => ready.

It's really simple.  But I admit that I still prefer to
use redirect= instead of include:, redirect= is clearer.


But to me, it doesn't make any sense.


Maybe my example helps.  Include is good if you have more
than one provider, or if you want "include:not.me" as some
kind of FAIL-accelerator at the begin of complex policies,
when reaching the final "-all" would be very expensive.

                        Bye, Frank

P.S.:  Sorry for not changing the subject, normally I see
       when a subject contains the name of a poster, which
       is often an indicator for dead "Godwin"-threads, so
       I either change it or don't reply.  Here it was not,
       therefore I forgot to change it.


-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Updated SPF validator and a new checker, Peter Karsai
Next by Date:  [spf-discuss] Re: Updated SPF validator and a new checker, Frank Ellermann
Previous by Thread:  Re: [spf-discuss] Re: [OT]Calling Hector Santos, Hector Santos
Next by Thread:  [spf-discuss] INCLUDE Statement [was [OT]Calling Hector Santos], Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]