spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Successes and failures of the SPF project in 2005

2006-01-12 09:35:06
from [Frank Ellermann] [Permanent Link] 
Dick St.Peters wrote:


My servers send mail for hundreds of domains, but the
servers themselves are in a domain never used legitimately
in a MAIL-FROM.


If these servers are s1 up to s9.mailout.example.net, and you
want it to be clear that MAIL 
FROM:<any(_at_)s?(_dot_)mailout(_dot_)exampl(_dot_)net>
is bogus, you could just state "v=sfp1 a -all" for s1 up to s9.

If you'd insist on e.g. "spf2.0/mfrom -all" you're in trouble
if these servers ever send a single MAIL FROM:<>, that's just
how SPF always worked (as far back as I know it).

That was a design decision, this way SPF works also with empty
Return-Paths.  Taking that as given, the IP of a mailout _must_
be permitted if its FQDN has a sender policy.  It's a logical
consequence that receivers always MAY check the HELO.

Without a policy for the HELO they get NONE, tough luck but no
issue.  If all is well the get PASS.  So far they wasted time
for SMTP sessions without a single MAIL FROM:<> bounce.

But if they get a FAIL for the HELO they save a lot of time -
by definition that's impossible, either the other side screwed
up badly, or some idiot spammer tries to forge the HELO.  That
is an important feature for white listing 251-style-forwarders
or to build CSV-style reputation systems.

The decision to replace "MAY test HELO" by SHOULD was correct,
because the MAY was okay, because that's how SPF works.  If
you don't like it just don't publish policies for your servers.

Above all SPF is _voluntary_ from the POV of domain owners or
MTA operators.  A very dubious IESG Note about the PRA opt-out
technology not withstanding, two appeals are on public record.

If you still don't get it better ask somebody else why SPF was
designed this way, from my POV including MAIL FROM:<> was fine.

                           Bye, Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Ramble about scopes, Jeff Macdonald
Next by Date:  Re: [spf-discuss] Re: Successes and failures of the SPF project in 2005, wayne
Previous by Thread:  [spf-discuss] HELO versus Mail From Was Re: Successes and failures of the SPF project in 2005, Scott Kitterman
Next by Thread:  Re: [spf-discuss] Re: Successes and failures of the SPF project in 2005, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]