Thanks to all for the replies. The concepts are starting to make
sense ... and the second read of Alex's comments helped within
the context of other inputs to this thread. I will lower my
expectations in both time and in the efficacy of SPF but know
that I have at least made an effort to potentially reduce spoofing
should the receivers choose to check.
I am a domain owner, but do not run an MTA - I forward to
Comcast and to GMail from which I POP down. I have e-mailed
the GMail folks to see what their position is on checking SPF. My
experience with Comcast on e-mail matters has been mostly
silence and won't ask there (yet).
I found a white paper on SES protocol (dated 2004) so will
try to understand that concept and see if it applies in my
situation. I don't think it does.
What I need (and maybe others?) is an "SPF for Dummies"
George
____________________
George Hitz
Sudbury Masschusetts
hitz(_at_)hitz(_dot_)org
----- Original Message -----
From: Claire Campbell
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Sent: Monday, November 20, 2006 10:26 PM
Subject: Re: [spf-discuss] SPF TXT Questions re Effectiveness
Stuart D. Gathman wrote:
> On Sun, 19 Nov 2006, George Hitz wrote:
>
>
>> The quantity of these bounced e-mails is as plentiful as
>> always indicating to me that something is not working.
>> They do not appear to be going away.
>>
>> This process is quite difficult for me to get my hands
>> (and mind) around to understand just what is going on.
>>
>> Can someone help, please?
>>
>
> Not everyone checks SPF. Some of those that do are afraid that you
> might not have really meant it when you published instructions to
> reject the forged mail. (This is because some people have published
> erroneous SPF records and then complained because their mail was
> rejected as requested.)
>
> The SPF community needs to work on getting people to do a proper job
> of *checking* the SPF records. There are quite a few domains that
> publish them now, but people are timid about checking them, and often
> checking them incorrectly (like checking relays from a secondary MX
> or a non-SRS forwarder).
>
Agreed.
Anyone who publishes an SPF record needs to understand that they are
making a statement about the e-mail that they can be held accountable
for and the likelihood of anyone else having the ability to pass
themselves off as an authorised user of their e-mail address/domain..
From my (non-technical) domain owner's perspective - that's it - It
makes no statement as to whether the e-mail is/is not spam It only
indicates a degree of confidence on the part of the domain owner as to
whether their address might/might not be forged as the sender of that
e-mail, based on an accurate assessment of their mail sending
infrastructure.
However - for some reason, this is not well understood by some service
providers on the receiving end, who seem to make the following assumptions:
SPF pass = not spam. Accept without question. White List even. Give Gold
Star.
SPF Neutral = probably spam - Reject, but accept mail from any domain
without an SPF record.
SPF Fail - Hmmm...
Received a virus notification today regarding an infected e-mail that
had spoofed our domain as the sender. It had the following subject line:
- "Virus Found in message "[SPAM] - News - Sender is forged (SPF Fail)"
Have e-mailed the sender to find out what other clues would have been
required to make them believe that the sender's address was forged and
that it was pointless to notify us of a virus that their own checks
indicated had not been sent by us.
The good news is that this is a rarity for us since we published our SPF
record, whereas previously it had been an ongoing problem.
So - Yes - mail receivers do need to do a proper job of checking SPF
records - if the domain owner has messed up they will learn very quickly
+ fix it. (Been there - got the T shirt) So long as any rejections are
sent to the domain owner by their ISP (one of ours doesn't - we have to
ask for the log files), there doesn't seem any point in guessing at what
they really meant to convey in their record..
It would be good if there was some way of receivers testing their SPF
checking for reliability, in the same way as domain owners can test
their records. Would there be any mileage, perhaps, in domain owners
like ourselves who have published reliable SPF records with the help of
the volunteer support team, giving something back by offering to send
test mails to receivers interested in determining the reliability of
their SPF checks?
Claire Campbell
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735