-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gaven Henderson wrote:
So, can somebody explain to me the functional difference between neutral and
softfail? Isn't that like saying "kind of grey" as opposed to "really
grey"? What's next, neutral fail? In a world where message (from an
Neutral is saying unknown, SoftFail is saying "The PHB's and sales staff
haven't come into line yet, but these addresses are really unauthorised".
omniscient view point) are either valid or not, I don't understand the
existence of middle ground. The only reason I can image this facilitates
adoption of SPF is to relax IT Admins who don't know the layout of the
network they manage. AOL, for example, ends their SPF record with ?all in
addition to containing to exclusions. Despite the fact that such a record
provides almost no help in identifying a spoofed mail from, I can't believe
that AOL can't pin down all it's outbound servers.
AOL can pin down all of its outgoing servers, but it has a large number
of subscribers that don't use them. Getting 6M+ users into line is a
non-trivial task. I expect it will be some more months before they start
tightening up their record. OTOH, a lot of mail system operators seem
to be tightening up their record for them.
As Julian mentioned, a SPF record of only "?all" provides no information.
That in mind, does "ipv4:127.0.0.1/24 ?all" really provide useful
information? I think not. It's easy to say for certain if a message is
good. The trick is to identify if a message is forged.
Right. And it is _really_ the domain owners problem if they publish
too lax a record. As in the case of AOL, even if they won't assert
that mail not from their servers is forged, many sites reject on
AOL:Neutral. For less influential sites such a soft policy might result
in _ALL_ mail that claims to be from their domain being rejected as spam.
Think of it as a speeding ticket. A cop won't pull you over and thank you
for driving the speed limit. He will, however, issue you a ticket if you
weren't. The point I'm making is the goal should be to catch the bad guys,
not the good ones.
This is the goal, which is why so many of us actively encourage
domain owners publishing "-all".
Note: Please don't assume that I dislike SPF in any way. I think that, a
few problems aside, this is a great solution. I would like to see it become
more effective, that's all.
It will be. The main barriers are getting the knowledge out to
domain owners and mail system operators so that they will have
the confidence to publish strict records, and treat them strictly.
- --
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com http://www.vocalabs.com/
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDGk638/QSptFdBtURArTtAJ9VS9HniPQk97b4RligQ7nf3elVSACdGp+M
VwTtPnixf++SrxFiYXTxRUM=
=zajL
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com