At 17:39 07/07/2009 Tuesday, Scott Kitterman wrote:
On Mon, 6 Jul 2009 01:10:01 -0700 (PDT) Michael Deutschmann
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:
There has been some discussion of treating "v=spf1 -all" records
differently because there's no risk of false positive. Beyond that, I
don't think a false positive is impossible (it's not actually impossible
for "v=spf1 -all" records either).
Scott K
thats the one i would like to see as i regularly see attempted back scatter to
{random}(_at_)alandoherty(_dot_)net
when my spf for any non-envelope-sender(_at_)alandoherty(_dot_)net is "v=spf1
-all"
but too few reject on a hardfail
{by non-envelope-sender i mean any existing in outgoing including my many
incoming only like abuse@ etc
what i'd love is either spf clients to treat "v=spf1 -all" as an absolute fail
or for us to have a "v=spf1 {something else}all" that meant absolute fail
{for valid use only in records where there is never any mail or helo with that
domain}
or for records using redirects to serve separate records for valid/invalid
address'
{any other preceding spf other than exp= or redirect= being a syntax error,
"PermError"}
for receivers that aren't confident rejecting on -all
{as they don't want to break forwarders they don't know their users are using}
so they can reject these clear forgeries as they are invalid regardless of
client ip
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com