From: "Kevin W. Gagel" <[EMAIL PROTECTED]>
> From: "jdow" <[EMAIL PROTECTED]>
> > From: "Clarke Brunt" <[EMAIL PROTECTED]>
> >
> > > Jonathan Nichols wrote:
> ---snip---
> > Even more to the point SPF is NOT a reason to accept or
> > reject mail. All it does is verify the domain from which
> > it originated. That is a tool for SCORING spam not for
> > outright elimination of messages that have bad SPF records
> > and accepting those that have good SPF records. It is
> > perfectly legitimate for a spammer to build his own SPF
> > record and get approved by such mal-configured tools. All
> > the SPF record does is give you confidence of the veracity
> > of one hop in the chain.
>
> The intent of SPF was to provide a mechanism to verify that
> the sending server and the claimed domain the mail was from
> was the same. A failure allows the email admin to do what
> they want at that point. Discard, reject, bounce or send it
> through a tagging system like SA.
>
> In other words it was designed to allow you to reject IF you
> want to. So yes, it is a reason to accept or reject - IF
> that is what they want to do. I don't because it has not yet
> gained the widespread acceptance needed to help me reduce my
> workload. But I have published records to help others reject
> mail claiming to come from my domain. In fact since
> publishing the records I have not had complaints coming to
> me about forged spam. So I think its starting to gain
> acceptance and doing what its inteded to do.
All well and good. But if you perform an engineering analysis on its
failure mechanisms it's not really telling you much of anything that
is useful given the vagaries of the Internet today. People have not
figured out everything you have to go through to make your own SPF
records safe and useable for yourself when legitimate recipients may
be overreacting to erroneous SPF records. At the moment any serious
reliance on SPF failure will up your false positive rate. IMOAO the
false positive is a FAR greater annoyance than the missed spam. And
if the false positive results in rejected emails this can be both
very expensive and exquisitely annoying to users. If YOU are the
only user than you have performed your own analysis and accept the
risks. If it is part of a large ISP you might want to rethink your
employer's risks in summarily rejecting emails solely on the basis
of a failed SPF record at a time that this is fairly well expected
to happen on quite legitimate emails.
{^_^}
