At 11:50 AM 1/8/2008, you wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julian Mehnle wrote:
> Alessandro Vesely wrote:
> > The current paragraph reads
> >
> > 2.5.4. Fail
> >
> > A "Fail" result is an explicit statement that the client is not
> > authorized to use the domain in the given identity. The checking
> > software can choose to mark the mail based on this or to reject
> > the mail outright.
> >
> > I'd rather see
> >
> > A "Fail" result is an explicit statement that the client is not
> > authorized to use the domain in the given identity. The checking
> > software MUST reject the mail outright.
> >
> > Marking may allow messages with abused names to hit users. SPF should
> > avoid exactly that. There are no false positives, since the domain
> > owner is the direct origin of such "explicit statement". (Yes, there
> > may be errors in the SPF setup, that's why SOFTFAIL exists. See next
> > post.)
>
> The problem with mandating receiver policy is that receivers are going
> to ignore it at will. Receivers will always do what they think is best
> for them.
>
> The current wording merely suggests possible reactions to the "Fail"
> result but does not mandate anything. I think it's better that way.
Since there seems to be some desire to make the "Fail" definition more
explicit with regard to messages getting rejected, how about that:
| A "Fail" result is an explicit statement that the client is not
| authorized to use the domain in the given identity. Domain owners
| should be aware that mail receivers typically reject messages on this
| result. Alternatively, some receivers decide to mark the mail based on
| this.
?
This conveys both a heads-up to domain owners as well as a warm fuzzy
feeling to receivers that others, too, are rejecting on "Fail", without
actually mandating receiver policy.
-- snip --
Looks good. May I offer this minor wording change...
| A "Fail" result is an explicit statement that the client is not
| authorized to use the domain in the given identity. Domain owners
| should be aware that, while most mail receivers typically reject
messages on this
| result as suggested, some receivers may decide to mark the mail
based on this.
I'm playing with semantics a little here in saying suggested, in that
what I mean is what the word Fail suggests rather than the making of
an actual recommendation. If developers were to take it as a
recommendation, I would not be heartbroken. After all, when I
publish an SPF record with "-ALL", such that the outcome is an
explicit Fail for that domain, I would prefer the result was, in
fact, a rejected message.
FWIW, in future versions of SPF it might be nice to introduce a
"FAIL-REJECT" vs a "FAIL-BOUNCE" concept with some trigger in the SPF
record to further indicate and further qualify the preference of the
domain holder as to what the receiver should do with a "Fail". I'm
not sure which would be considered the default, but perhaps the way
to handle that might be to follow an "-all" with a "-reject" or
"-bounce" or some such thing to indicate the domain holders
desire. Personally, I think the default should be "-reject" to avoid
having to receive the bounces from a "Fail". After all, I know it
should fail because I created the SPF record, the receiver knows I
want it to fail because they read and interpreted my intent, so let's
just drop the problem message and save both our systems further time
and energy.
Best,
AlanM
The Commerce Company
TZ.Com - Travel Zippy
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=83359433-45ceb3
Powered by Listbox: http://www.listbox.com