spf-discuss
[Top] [All Lists]

[spf-discuss] SPF basics commentary

2007-01-27 10:05:55
SPF on the sender side provides some data about IP addresses and their linkage
to domain names.  Much of our conversation is about
precisely when and how this can be used.  Much of the controversy is about
how to "stretch" this information to separate "legitimate" mail
from "spam".

I submit that SPF is inadequate for this purpose.  It does not
provide enough information to make a definitive judgement about
whether email is "legit" - and it never will.  Some of the determination
is simply  subjective judgement.  The rest is not determinable solely
from what SPF provides.

SPF provides enough information to prevent certain kinds of forgery.
Let's focus on those uses of SPF that provide precise, reliable data, and
how those can be used.

HELO checking is a good example.  I think there is consensus that this is
safe and effective, and can be deployed immediately everywhere without pain.
I think we should push this.  It does *not* constitute
a particularly effective ant-spam policy, so it should not be oversold,
but it can be very effective in blocking spam bot-nets and the like that
forge HELO names.

In checking MAIL FROM: , there are lots of issues with forwarding, SRS, etc.
Hence the spirited conversation on this list.  This is great.

We should step back and focus on what SPF _can_ do reliably
and with precision, and reduce our focus on what it does not do well.

I would like to see wide adoption of SPF as a useful tool.  Chasing
corner cases and forwarding issues detracts from this goal.

-dgl-

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>