[Top] [All Lists]

[spf-discuss] Re: Revising SOFTFAIL -- ~/SoftFail as a testing tool

2008-01-05 07:11:11
Hash: SHA1

Michael Deutschmann wrote:
On Sat, 5 Jan 2008, Julian Mehnle wrote:
However I do like the idea of making it more clear that the ~
qualifier is supposed to be a testing tool, not a permanent band-aid
for SPF's alleged "forwarding problem" as many domain owners seem to

My understanding it is that it is neither a forwarding band-aid nor a
testing tool.  It's a band-aid for a different problem -- that of users
who roam to other ISPs (perhaps using a laptop), and send their mail
either direct-to-MX or via a different ISP's smarthost.

No, that's what the ? qualifier is for.  ~ was meant as a tool for testing 
during roll-out.  Unfortunately RFC 4408 does not make this sufficiently 
clear, but it can be seen from both older versions of the spec and all 
versions of Mail::SPF::Query, which has long been "the" SPF reference 

draft-mengwong-spf-00 and -01:

| 9.3 Phased Rollout
| At an adopting domain, adoption of SPF could occur in phases.  A domain
| might move through these phases by changing its default response type
| from "neutral" to "softfail" to "fail".
| The phases are characterized by different levels of awareness among the
| domain's userbase, and different levels of strictness on the part of
| SPF-conformant receivers.
| When a sufficient majority of its users are SPF-conformant, a domain
| SHOULD change its default to "fail". [...]

draft-mengwong-spf-00 and -01, and draft-schlitt-spf-classic-00:

| [6.3 / 7.2] The Received-SPF header
| [...]
| Example headers generated by mybox.example.org:
| [...]
|        Received-SPF: softfail (mybox.example.org: domain of
|                                transitioning myname(_at_)example(_dot_)com 
does not
|                                designate as permitted sender)


| 2.4.4  SoftFail
| A SoftFail result should be treated as somewhere between a Fail and a
| Neutral.  This value is used by domains as an intermediate state during
| roll-out of publishing records.  The domain believes the host isn't
| authorized but isn't willing to make that strong of a statement. [...]

| 4.2  Results
| [...]
| Results from interpreting valid records:
|    Neutral  (?): published data is explicitly inconclusive
|    Pass     (+): the <ip> is in the permitted set
|    Fail     (-): the <ip> is in the not permitted set
|    SoftFail (~): the <ip> may be in the not permitted set, its use is
|             discouraged and the domain owner may move it to the not
|             permitted set in the future
| [...]

And check out these -- search for "transitioning":


It seems the idea of ~ being a testing tool during roll-out got lost in 
the draft-schlitt-spf-classic drafts.  We could restore it in a 4408bis 

Using ?all or ~all as a forwarding band-aid is bad -- it destroys
relevant information.


Version: GnuPG v1.4.6 (GNU/Linux)


Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>