On Saturday 02 December 2006 21:43, wayne wrote:
For the "I really mean FAIL", there are quite a few different cases.
This seems to be pushed mostly by folks like paypal who get phished a
lot. As Stuart's parody points out, it is easy for the sender to say
"I REALLY REALLY REALLY MEAN FAIL", but saying this isn't useful for
the receiver.
My proposal for a "I really mean FAIL" is: If you, as the email
receiver reject an otherwise legitimate email due to an SPF Fail, then
the blame can be put on me, as the domain owner. As a sender, I have
taken the steps necessary to make sure that the email I send will
never Fail, which may include things like never sending to email
addresses that get forwarded and such.
Legitimate email, like all good forms of communication, is something
useful for the teller to say and the listener to hear. Any time an
email is blocked, there is always a battle about who's fault it is and
the support costs of resolving the issue can be very significant,
compared to the normal costs. By shifting the support costs from the
receiver to the sender, this gives the receiver a reason to listen.
So, how does this proposal stack up to the three criteria?
This passes the first criterion because the receiver can't know that
they can shift the blame for an incorrect rejection.
This passes the second criterion, at least for heavily phished
companies where the cost of phishing might easily outweigh the extra
support costs.
This passes the third criterion because the receiver can safely reject
email that fails an SPF check without adding to their support costs.
My conclusion: An appropriate "I really mean FAIL" policy could be
useful.
I think this makes sense. In retrospect, my choice of the phrase "I really
mean FAIL" was a poor one. It would have been better to have said, "If there
is a FAIL, I really want the reject".
I also think that an explicit acknowledgement that the domain owner wants
rejections would encourage receivers who now just use SPF to give a (small)
bad score in their favorite spam filtering program.
For SPF to increase in effectiveness, we have to get more people out of the
post-SMTP filtering approach and into the SMTP reject approach. I think this
might be a way to push things in that direction.
For a VERY long time (maybe even before I was involved) the SPF specs have
said reject or filter were valid approaches for Fail, so I do not believe
that the view that rejection is the only valid response to Fail holds up.
_WE_ all KNOW what _WE_ wanted and what the spec MEANT, but others read the
spec and don't know what to do. They take the aparrently safer approach of
filtering.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735