spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: SPF TXT Questions re Effectiveness

2006-12-02 21:36:55
On Sun, Dec 03, 2006 at 04:03:13AM +0000, Mark wrote:

On a whole, how can we even argue about SPF-checks and reputation? The
entire purpose of SPF is about reputation: to protect the "good" one of
the domain owner. That repution, as anywhere else in the world, is only as
good as what he's sending. That's a sound principle, always, with or
without SPF.

Indeed.  And, like in the rest of the world, you can't get rid of
every and all forgeries.  But you can try, try hard, or not try
hard enough.

If currency is often forged, you'd be a fool to accept it. It has
a bad reputation.  But if currency is not often forged, you can
accept it, eventhough forgeries do exist.  Complete forgery-free
exists only in utopia.

Domain based reputation schemes will take this into account. Something
like "OK, we've seen a million mail from this domain, and five of it
was spam.  That's probably been a temporary problem, generally speaking
you can trust mail from them".

or 

"Spam is sent from this domain every week, from an authorized host.
If the domain owner is not fighting this, it must be a spammer. This
domain cannot be trusted."

or

"Normally nothing bad happens, but the last week there seems to be
a problem.  Let's blacklist but give the domain owner a chance to
solve the problem and delist himself."


HARDPASS is nonsense and useless.  We have PASS, and this is good enough.

My point is: *how* the ISP is fighting forgeries is not important,
what matters is *that* they succeed in doing so.

Technical measures to avoid cross-user forgery is a "how". It should
not be a criterium for deciding PASS or NEUTRAL.  It is not a goal,
it is a tool.  It is not *the* tool, there may be others.

Publishing PASS means the publisher can be addressed to in case of
problems, not just bounces but also if spam and/or viruses are seen.
Publishing PASS does not mean the source is authentic, it only means
the sending host is authorized by the domain owner, and that the
domain owner accepts responsibility (but not blame!).


Publishing NEUTRAL for your own ISP is for wimps.  It is like saying
that people should not reject mail coming from there, but don't think
the publisher accepts any responsibility for it.

alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>