On Jan 26, 2004, at 7:35 PM, Tod Fitch wrote:
To change the topic to a little more mail server specific: Does anyone on this list have opinions about "Sender Permitted From" (SPF) as described at http://spf.pobox.com/
Chuq has what seem to be sensible comments against it in his blog, Teal Sunglasses:
<http://www.plaidworks.com/chuqui/blog/001257.html>
I have a lot of respect for Chuq, but I think he's missing the point. SPF is not the FUSSP. It is a tool for preventing and identifying forgery. It will break some legitimate uses of mail not, and force workarounds to salvage the ability to send as any legitimate identity from wherever you happen to be connected, but the reality is that the ability to do that has already been hampered by widespread but inconsistent anti-spam and anti-forgery measures invented and implemented unilaterally by access providers.
Eliminating undetectable forgery will fix a number of things currently broken with SMTP email, including the problems some of us are seeing today with the blowback of the MyDoom worm and the hard case of what one is to do with mail that one accepts at the outside gateway but then cannot deliver. A mail server that uses SPF can safely generate bounces for undeliverable messages which passed SPF muster when accepted, and that is a positive move.
The costs of SPF are the death of transparent forwarding and a choice for domain owners of either establishing remote access mechanisms for users or accepting lowered deliverability by not implementing SPF or using a wildcard record allowing any machine as a sender, which also makes addresses in the domain easily forgeable.
--
Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
