On Thu, Dec 14, 2017 at 8:07 PM, Bill Cole
<mailop-20160...@billmail.scconsult.com> wrote:
> On 14 Dec 2017, at 14:01 (-0500), Jim Popovitch wrote:
>
>> Aside from a few HUGE providers, those with very large and disparate
>> networks/offices/topology....
>
>
> SPF isn't related to the complexity of a network, but control of users using
> a domain name, which is a very different thing.

Forget about users, think IoT devices.   ~all makes it easy for a
hacked device to send emails using your domain.

>> -all means that the domain operator knows what they are doing,
>
>
> No, it means they know what their users do.

Not every network or domain is used as a mailbox provider.

> Or that they THINK they do.
>
>> knows
>> what their network consists of and how email is routed within their
>> network.  It further states that the -all publisher has committed to
>> staying abreast of what happens in their environment in order to
>> assure their IP space is properly routing email.  It instills
>> confidence.
>
>
> There continue to be sites that do traditional ~/.forward-style transparent
> SMTP forwarding, which preserves the envelope sender as received. There
> continue to be websites which give users the ability to send content to
> others which use the address of the user initiating the action as the
> envelope sender, so that bounces go to the person who might care.
>
> Last I checked, it was frowned upon for sysadmins to execute users who
> obliviously violate a SPF '-all' policy by mailing a 'wrong' person or using
> a 'wrong' 3rd-party system.
>
>
>> ~all is just plain lazy, and is akin to saying that you don't have
>> confidence in your ability to own and control your own network;
>
>
> You keep using that word. I do not think it means what you think it means.

Ahh, a Princess Bride fan...

> If you consider users to be a subordinate part of a "network" then no
> "network" is controllable or should be.

No, that's not what I'm saying.  Forget about users, think spambot
infested devices on your network (or on someone else's network using
your domain).

>> and
>> you want others to spend some level of time/money (in the form of CPU
>> cycles) analyzing email emitted from your network to determine it's
>> suitability for deliverability.
>
>
> There you go saying "your network" again, yet fundamentally '~all' says 'my
> users might cause mail using my domain name to come from networks OTHER THAN
> mine.' Which is true of almost any significant set of users. Mail actually
> from the domain owner's network properly will be authenticated by what comes
> BEFORE the '~all' default.

Of course, but we're not really discussing what comes before the ~all
or-all, rather what comes after the properly identified network
resources listed in the SPF RR.

-Jim P.

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to