spf-discuss
[Top] [All Lists]

RE: [spf-discuss] When receiving mail servers undermine the purpose of SPF - a domain owners perspective

2006-06-13 17:24:27
-----Original Message-----
From: Stuart D. Gathman [mailto:stuart(_at_)bmsi(_dot_)com] 


In all the non-technical documentation I have read on SPF, 
I can find 
no recommendation to reject mail on the basis of a neutral 
SPF result 
but rather to treat it as if it had no SPF record. 

For heavily forged domains (e.g. I just added earthlink - I 
was getting hundreds of "earthlink.net" forgeries a day), I 
reject on NEUTRAL (which also includes NONE unless it gets a 
"guessed" PASS from "v=spf1 a mx ptr").  I agree that 
penalizing SPF publishers more than non-publishers is 
counterproductive.  Certainly a blanket policy by a large ISP 
of rejecting on NEUTRAL by default is anti-social.

I respect your decision totally - however this is based, to a degree, on the
reputations associated with those domains - not purely on what is conveyed
in the domain owner's SPF record. The problem I have with this particular
provider is that having experienced no difficulties whatsover in sending
mail to their users, our mail was arbitralily rejected as soon as we
published our SPF record. The fact that they were fully prepared to accept
mail from our domain once we had the means to send mail from a mail server
with no risks of cross-user forgery/unknown security exploits etc,
eliminated any possiblity that their decision was based on any reputation
associated with our domain.          

While you might not be able to get a PASS with a shared 
provider, you could at least get a FAIL for mail that doesn't 
come from an authorized provider.  Then small servers like 
mine wouldn't have any reason to add you to a NEUTRAL blacklist.

I totally agree - that's exactly what our Sender Policy states - despite the
inherrent suspicion associated with a Neutral SPF result, we feel that it's
value lies primarily in the servers that are explicitly NOT authorised to
send mail for our domain. This on the basis that 4.3 million IP addresses
versus the handful listed in our record, with appropriate levels of
confidence assigned to each seems mathematically to be a better deal for all
concerned. From a commercial perspective, it would have been the easiest
thing in the world for us to ignore the risks associated with a shared
web/mail server environment and publish a more assertive record than
appropriate for those servers. I imagine that many SPF records are more
assertive than their circumstances actually warrant - either out of
ingnorance/unqualified advice/self-interest on the part of server hosts who
may hope that their users do not scrutinize their infrastructure too closely
- or simply because their domain owners have a drive-by-shooting attitude to
their internet presence in the same way that spammers do. However, we
consider ourselves lucky to have had the benefit of sound, impartial advice
given unreservedly by someone with nothing to gain commercially from doing
so and to reject this for the sake of expediency would have been both a
betrayal of trust and short-sighted.   

Also, many people use NEUTRAL for mail sent from home ISP or 
roaming users.  Don't do this!

We don't

Use SMTP AUTH to relay such mail through an authorized MTA

We do.

Most (all) commercial providers have no technical protection against
cross-user 
forgery even with SMTP AUTH (SPF is the killer application 
for proper SMTP AUTH implementation - and commerical 
providers haven't realized this yet). 

I became aware of this when we were being guided through the setup of our
SPF record and despite SMTP authenitcation I was able to test this via our
own mailbox. Fortunately, we have removed ourselves from this environment
and trust our mail to a service where this is not possible.   

If you are concerned 
about liability, you should get your own relay MTA.

We are moving in that direction. One of the other major benefits of our SPF
journey is that we have come to take greater ownership of our own domain
instead of just accepting what is available by default. We have found a good
mail service provider. Now we just need to sort out a dedicated web server.


The bottom line lesson is that SPF allows per domain 
policies. Applying blanket local polices that are not based 
on individual domain behaviour defeats the whole purpose of SPF.

Agreed - that's why I fee so strongly about arbitrary decisions. 


Claire

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com