On Sat, Jan 05, 2008 at 11:28:53AM +0000, Julian Mehnle wrote:
The current paragraph reads
2.5.4. Fail
A "Fail" result is an explicit statement that the client is not
authorized to use the domain in the given identity. The checking
software can choose to mark the mail based on this or to reject the
mail outright.
I'd rather see
A "Fail" result is an explicit statement that the client is not
authorized to use the domain in the given identity. The checking
software MUST reject the mail outright.
Marking may allow messages with abused names to hit users. SPF should
avoid exactly that. There are no false positives, since the domain
owner is the direct origin of such "explicit statement". (Yes, there
may be errors in the SPF setup, that's why SOFTFAIL exists. See next
post.)
The problem with mandating receiver policy is that receivers are going to
ignore it at will. Receivers will always do what they think is best for
them.
True. But one could argue that SPF is a way to ask a receiver to cooperate
with the domain owner. The text could read something like:
A "Fail" result is an explicit statement that the client is not
authorized to use the domain in the given identity. The host is
encouraged to reject the message outright. If the message is not
rejected, it MUST NOT result in automated replies including but not
limited to DSNs.
I think this does give the receiver the option to receive the message,
but at the same time it makes clear that the domain owner should not be
bothered with the resulting problems. This is (IMHO) the spirit of SPF.
Alex
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=82152381-4eef1a
Powered by Listbox: http://www.listbox.com