On Sun, 11 Sep 2005, Theo Schlossnagle wrote:
circumstances. Recipients are not always the ones configuring aliases
that send mail to them. Others may do so legitimately as well. Many
Baloney. Authorized (as in requested) forwarding is one thing. But someone
deciding to shovel all email my way that is sent to some address (that I did
not set up) without permission, is extremely rude, at best, or more likely just
spam.
recipients couldn't communicate that information even if such a channel
of communication between user and admin was available -- they just
aren't aware of it as it has never been important.
No problem. Just don't reject on SPF fail when in that situation.
It hasn't been important - but it is now.
Understanding your outbound mail isn't enough. You can't publish -all
unless you know that all potential receivers will not forward mail by
standard practices. That insight is impossible except for rare edge cases.
Wrong. An SPF publisher is only responsible for sending mail. You
are the one asking for an impossibility. How could a sender possibly know
all the details of every possible recipient? It *is* possible for
a sender to know how they send mail - and publish that in an
SPF record. It *is* possible for a receiver to know how they
receive mail - and only check SPF at the borders (or do
"relaxed" checking only).
That's a deployment strategy complicated enough to completely deter
deployment.
It is no more complicated than the sendmail access database. In fact,
that works quite nicely for the purpose with a tiny milter extension.
SPF, to be successful, must provide senders the facilities to describe
policy and receiving ISPs the facilities to enforce those policies
without the cooperation of their subscribers.
To me, an "ISP" provides internet service, and I hope they don't mess
with my mail (although carnivore says otherwise). Perhaps you
mean "mail provider", like Yahoo mail or AOL mail.
If said mail provider does not want to provide an SPF admin interface,
then they can just do relaxed checking - and feed it to their spam
statistics.
There is an analogous problem for publishing. End users at large
mail providers have in the past expected to be able to use their address
(e.g. joe(_at_)yahoo(_dot_)com) as the MAIL FROM at any computer anywhere in
the world - and have it work. In order to publish a strict SPF
record, that has to stop. All end users must use SMTP AUTH or other
solution from roaming locations before a mail provider can publish "-all".
Similarly, users in the past have expected to be able to forward any address
anywhere to any mailbox without telling the admin or admin software of the
destination mailbox about the alias. In order to do strict SPF checking,
that has to stop. All end users must register all non-SRS forwarders
before strict SPF checking can be done on their mailbox.
This is not a failure of SPF. This is simply policy choice on the part
of senders and receivers. If a sender wants to allow their domain to
be used from any machine anywhere without authentication, then a "?all"
SPF record describes that policy choice. If a receivers wants to allow
any machine anywhere to forward them mail without prior approval and
without changing the sender, then they can - by not rejecting on SPF fail.
It is simply a logical contradiction for SPF critics to say they
want to have a "-all" policy in their SPF record without actually
implenting a "-all" policy. It is simply a logical contradiction for
receivers to say they want to reject on SPF fail, but still allow
the "forgeries" such a policy prevents!
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com