Scott Kitterman wrote on Sunday, December 03, 2006 10:13 PM -0600:
For a VERY long time (maybe even before I was involved) the SPF specs
have said reject or filter were valid approaches for Fail, so I do not
believe that the view that rejection is the only valid response to
Fail holds up. _WE_ all KNOW what _WE_ wanted and what the spec MEANT,
but others read the spec and don't know what to do. They take the
aparrently safer approach of filtering.
We many know what we meant, but the politics of the email community,
where no one wants to hear they MUST do anything, meant that the obvious
was not possible. There isn't much benefit to either party when a
domain owner says, "this doesn't really look like one of our messages,
but you decide for yourself". I suggest that NEUTRAL and SOFTFAIL are
two results that weakened the concept significantly.
The proposals that we now need HARDPASS, HARDFAIL or perhaps even
op=auth suggests that we missed something very important. For a
protocol where the sender gives the recipient an unambiguous formula to
evaluate whether the sender's domain name in a return-path emitted by a
given IP is a forgery, result=maybe is of no help to the recipient. In
cases like this, both parties wasted their efforts. It appears that
giving senders the option to publish "?" violates two of Wayne's
sensible criteria, where what is communicated is something the sender
needs to say and the recipient needs to hear. I completely agree with
Wayne's three criteria and would summarize them as, "a communication
protocol should communicate something useful".
The only thing that SPF facilitates is senders communicating what
constitutes a forgery based on return-path domain and IP. It can't say
a message is good, only that it is forged. Allowing senders to
equivocate on whether it is a forgery makes the answer meaningless.
Asking recipients to guess what senders mean when say they don't know
will not reduce forgeries.
This is analogous to a DNS A record query returning ?NXDOMAIN, meaning
"the domain is not sure if they have an A record for that host". If
they don't know, nobody else does. More importantly, even though the
server responded, the party making the query learns nothing.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735