spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Promoting NEUTRAL or SOFTFAIL result to FAIL

2006-02-25 16:04:46
from [Frank Ellermann] [Permanent Link] 
Hector Santos wrote:


    MAIL FROM: user @ domain.com
and
    MFROM.DOMAIN == HELO.DOMAIN



It is a clear cut voilation if SPF(MFROM) returns anything
but a FAIL or PASS because the client is stating it is inside
the secured autorized sending network.


If xyzzy.dnsalias.org would send mail and have a sender policy,
that would be "v=spf1 a -all".

In reality it doesn't send mail and has no sender policy, but I
still use it sometimes as EHLO for address tests.

The a:xyzzy.dnsalias.org is a DynDNS record, if I talk to your
server, then go offline, and immediately online again, talking
again with your server, the A in your cache will be incorrect
until it expires.

The part "switch access providers (with new IP) rapidly" is no
nonsense, I do this daily hopping from the cheapest provider to
another depending on the time of the day.


I don't understand why SOFTFAIL could not be considered in
this logic Frank?  I don't understand your point here.


The point of SOFTFAIL is testing.  If I _test_ "v=spf1 mx ~all"
and simply forgot to add the "a" for rare direct-to-MX usages,
then treating HELO SOFTFAIL like FAIL is rather hard.

Maybe harmless, you reject the mail, I can then fix the policy.
Or I switch to NEUTRAL, you reject it again, I give up on SPF,
that would be bad.

A NEUTRAL result MUST be interpreted like NONE.  It's a bad
plan to second guess what the sender "really" means, probably
he's confused, but maybe he has good reasons for the NEUTRAL.

     example.com "v=spf1 ip4:1.2.3.4 ?ip4:1.2.3.0/24 -all"

Some admin hack.  "It's 1.2.3.4 today, but it was 1.2.3.3 last
year, and they forget to tell me for weeks, so let's play it
save".  No idea how realistic that is, but it's possible.

Maybe they really switch to 1.2.3.5 tomorrow forgetting to tell
their postmaster, who should then fill out form X.NS.123-1997
sent per fax to the company DNS gurus at the other end of the
world asking them to update the SPF record.

Murphy is everywhere.  Treat NEUTRAL like NONE and you can't be
wrong.  Otherwise what you do is "receiver policy", screw it up
too hard, and the senders chicken out and stop publishing SPF.

                          IOY 2 cents


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Promoting NEUTRAL or SOFTFAIL result to FAIL, no direct replies
Next by Date:  Re: [spf-discuss] Promoting NEUTRAL or SOFTFAIL result to FAIL, Hector Santos
Previous by Thread:  Re: [spf-discuss] Promoting NEUTRAL or SOFTFAIL result to FAIL, Mark Shewmaker
Next by Thread:  Re: [spf-discuss] Re: Promoting NEUTRAL or SOFTFAIL result to FAIL, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]