spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Senderside forwarder-problem mitigation

2009-07-11 00:04:30
from [Michael Deutschmann] [Permanent Link] 
On Fri, 10 Jul 2009, Alessandro Vesely wrote:

Michael Deutschmann wrote:

The problem is that, like Microsoft SenderID, V-SPF is compromising the
effectiveness of G-SPF by leading senders to be timid in their SPF records.


I don't see much differences among various flavors (G, V, D) of SPF.
Senders who mean SPF to only be used for whitelisting desire that
receivers set, say, whitelist_from_spf in sa, and already have ~all or
?all to choose from. Senders who mean SPF to also reject forgeries set
-all.

But this approach hurts the mailboxes where a forwarder whitelist is
available.  If the sender had given the whole story in its SPF record, the
receiver could reject forgeries with no false positive risk.


Look at it this way -- there are five kinds of practical forwarding
problem mitigation:

Crap Receiverside -- Treat all SPF results as if they were the most
permissive of the actual result and Neutral.

Elite Receiverside -- Use a forwarder whitelist to give a virtual Pass to
forwarded mail, otherwise apply actual SPF result.

Forwarderside -- Use SRS, or at least sham-SRS (changing the MAIL FROM, but
making no arrangement to relay bounces).

Crap Senderside -- Write the SPF policy to give the most permissive of the
correct result (from a G-SPF perspective) and neutral.

Elite Senderside -- Use VERP, the exists mechanism, and a magical DNS
server.

Any one of these will eliminate false positives due to the forwarding
problem.  But both Crap Receiverside and Crap Senderside cause a horrendous
increase in false negatives.

If neither Elite method existed, then the loss from G-SPF or V-SPF confusion
would be minimal in practice -- since no one would use softdeny or fail, and
no one would believe them anyway.

But the G-SPF/V-SPF confusion costs SPF a chance to shine when Elite
mitigation is available.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Feature request for SPFv3, alan
Next by Date:  Re: [spf-discuss] Feature request for SPFv3, Michael Deutschmann
Previous by Thread:  Re: [spf-discuss] Senderside forwarder-problem mitigation, Alessandro Vesely
Next by Thread:  Re: [spf-discuss] Senderside forwarder-problem mitigation, Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]