spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: RPF explanation and examples

2006-11-16 08:48:52
from [Scott Kitterman] [Permanent Link] 
On Thursday 16 November 2006 10:32, Alex van den Bogaerdt wrote:

On Thu, Nov 16, 2006 at 10:24:43AM -0500, Stuart D. Gathman wrote:

I agree.  I just wanted the idea to get a fair hearing.  I would
probably prefer a webservices interface (provide policy in a structured
format to 3rd party using https with user+password).  That is quickly
implemented, easily used by programs as well as humans, and can always
have a GUI built on top of it.


Great. It took a couple of posts, but now we agree on this part.

Next item:

Disabling SPF is not to become "Current Best Practice".
We want people to start using SPF, not to stop using SPF.

This means forwarders should start using SRS (or similar). The hosts
being forwarded to will be able to do SPF.

Alternative approach: pull mail (pop3) from that host, in stead of
having the mail pushed towards you ("forward").


Yes, but ...

There is more than one way to solve the "Forwarding Problem".  Both SRS and 
switching to pull from push require changes at the forwarder.  The question 
is, in the meantime, what does the receiver do.  It seems to me that they 
have roughly four choices:

1.  Do not check SPF.

2.  Reject all SPF Fail messages and accept that forwarded messages will get 
rejected.

3.  Check SPF and use the result as an input to post-SMTP filtering knowing 
that forwarded messages will be more likely to be scored spam.

4.  Whitelist known forwarders from SPF checks and then do #2/3 without the 
negative affects.

So, I'd say that among those options, whitelisting forwarders is the best.  
Many receivers are unwilling to accept the 'false positive' rate associated 
with not treating non-SRS forwarding differently.  I put that in quotes 
because I know there are people that don't consider them false positives.

While the ideal solution is #2, I'd rather have #4 than #1 and so if forwarder 
whitelisting is a way to get more receivers to get started checking SPF, then 
I"m all for it.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: RPF explanation and examples, Alex van den Bogaerdt
Next by Date:  Re: [spf-discuss] Per/user policies in "Large Domains" (was Fixing Forwarding with RPF), K.J. Petrie
Previous by Thread:  Re: [spf-discuss] Re: RPF explanation and examples, Alex van den Bogaerdt
Next by Thread:  Re: [spf-discuss] Re: RPF explanation and examples, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]