Stuart D. Gathman wrote:
On Sun, 19 Nov 2006, George Hitz wrote:
The quantity of these bounced e-mails is as plentiful as
always indicating to me that something is not working.
They do not appear to be going away.
This process is quite difficult for me to get my hands
(and mind) around to understand just what is going on.
Can someone help, please?
Not everyone checks SPF. Some of those that do are afraid that you
might not have really meant it when you published instructions to
reject the forged mail. (This is because some people have published
erroneous SPF records and then complained because their mail was
rejected as requested.)
The SPF community needs to work on getting people to do a proper job
of *checking* the SPF records. There are quite a few domains that
publish them now, but people are timid about checking them, and often
checking them incorrectly (like checking relays from a secondary MX
or a non-SRS forwarder).
Agreed.
Anyone who publishes an SPF record needs to understand that they are
making a statement about the e-mail that they can be held accountable
for and the likelihood of anyone else having the ability to pass
themselves off as an authorised user of their e-mail address/domain..
From my (non-technical) domain owner's perspective - that's it - It
makes no statement as to whether the e-mail is/is not spam It only
indicates a degree of confidence on the part of the domain owner as to
whether their address might/might not be forged as the sender of that
e-mail, based on an accurate assessment of their mail sending
infrastructure.
However - for some reason, this is not well understood by some service
providers on the receiving end, who seem to make the following assumptions:
SPF pass = not spam. Accept without question. White List even. Give Gold
Star.
SPF Neutral = probably spam - Reject, but accept mail from any domain
without an SPF record.
SPF Fail - Hmmm...
Received a virus notification today regarding an infected e-mail that
had spoofed our domain as the sender. It had the following subject line:
- "Virus Found in message "[SPAM] - News - Sender is forged (SPF Fail)"
Have e-mailed the sender to find out what other clues would have been
required to make them believe that the sender's address was forged and
that it was pointless to notify us of a virus that their own checks
indicated had not been sent by us.
The good news is that this is a rarity for us since we published our SPF
record, whereas previously it had been an ongoing problem.
So - Yes - mail receivers do need to do a proper job of checking SPF
records - if the domain owner has messed up they will learn very quickly
+ fix it. (Been there - got the T shirt) So long as any rejections are
sent to the domain owner by their ISP (one of ours doesn't - we have to
ask for the log files), there doesn't seem any point in guessing at what
they really meant to convey in their record..
It would be good if there was some way of receivers testing their SPF
checking for reliability, in the same way as domain owners can test
their records. Would there be any mileage, perhaps, in domain owners
like ourselves who have published reliable SPF records with the help of
the volunteer support team, giving something back by offering to send
test mails to receivers interested in determining the reliability of
their SPF checks?
Claire Campbell
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735