WebMaster at Commerco
Dec 21, 2007, 3:04 PM
Post #34 of 50
At 02:23 PM 12/21/2007, you wrote:
>On Fri, 2007-12-21 at 22:15 +0100, Alex van den Bogaerdt wrote:
> > There is absolutely no forwarding problem. The person receiving a
> > message (note: receiving!) is resending the message using someone
> > else's email address. He's doing the damage but expects others to
> > clean up after him if things fail.
>This is how SMTP has worked since the early 1980s, and still works
>today. If you choose to believe that by continuing to be compatible with
>how email has worked for over two decades I am 'doing the damage', then
>so be it.
>If you use -all, there are situations in which your mail will be thrown
>away. If you reject for failure, there are situations in which you will
>be throwing away genuine mail, forwarded through normal, SMTP-compatible
>It's very disingenuous of you, Alex, to tell people otherwise.
> > What's worse, he himself is sending to an account which *also* opted
> > in to SPF. So the troll *is* using SPF. Else there wouldn't be a
> > so called problem.
>You seem very confused, or very dishonest. I am not using SPF at all.
I am even more confused. If I understood Mr. Woodhouse properly, he
originally painted a scenario where I think he said words to the
effect that by having a "-all" approach to one's SPF record, somehow
a message sent by Mr. Woodhouse could not be forwarded and that
receivers would somehow not receive his messages.
Yet, just above, Mr. Woodhouse says he doesn't use SPF at all. For
him then, nothing has changed and I fail to understand his argument.
For me, I've had SPF implemented since sometime around 2004 or so and
I implemented it with a "-all" approach without ever experiencing a
problem with lost messages.
I do, however, benefit from having an absolute assertion which I can
point to - if anyone ever get an email message from a domain under my
control that does not come from the outgoing SMTP servers I define
for the domain, then it is to be considered bogus. I want the
receiver to trash such a message prior to considering distributing it
and not send me a bounce back to me. Frankly, I'm happy with that
assumption and interpretation and the experience from doing this for
several years tells me that it does not break my ability to send or
receive email messages.
Now then, going back to check when I started with SPF, I saw a post
to this very list from Mr. Woodhouse, here is an interesting excerpt
from a message in late 2004.
"Until SRS is ubiquitous that's not strictly true. Throwing away the SPF
FAIL is _also_ hurting adoption. Every time someone complains that
forwarded email is bouncing, I get them to tell the _sender_ not to
publish '-all' and the _recipient_ not to obey it. It's too soon."
From this thread, I gather his opinion has not changed, despite the
huge numbers of SPF adopters these day. Even so, I find it more than
odd that he (as a non-adopter) spends so much time on the list for so
many years poking at something that clearly works for those who
actually *have* implemented SPF, it might be interesting to better
understand the history there.
I think that it was entirely because there was a perceived defect by
some in the way that SMTP has worked for over 20 years that SPF was
proposed. After all, just because something has a long history, does
not mean it cannot be improved upon or that it does not have some
fundamental defect that can be exploited by some once said defect is
discovered (read Joe Jobs). My first SMTP server (circa 1995) was so
brain damaged, that one could not even turn off the ability to relay
messages. In your view, Mr. Woodhouse, do you think I should be
maintaining that old open relay server because it followed the
standard? I hope not.
A high school physics teacher of mine from many years ago frequently
utter the words, "The dogs may bark, but the caravan moves on" when
class members groused about changes. Change happens, usually because
through change, certain problems identified along the way are
addressed by the change.
For me and my company, SPF works and it works well with the "-ALL"
For others, it might not work so well - so be it - let them face
people spoofing their domain name identities, get bounces from all
over the place and generally face the misery that everyone did prior
to SPF - from the "working" SMTP standard to which Mr. Woodhouse
appears to feel so attached.
Getting back to the original point of the thread, why Google
apparently wants folks to specify "~all" rather than "-all", perhaps
in their case (because they offer a huge email service), they don't
wish to reveal all the possible outgoing SMTP servers to avoid some
type of attack on GMail. Personally, I think there are better ways
of handling such things even in huge scale email service environments.
The Commerce Company
TZ.Com - Travel Zippy
Sender Policy Framework: http://www.openspf.org
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78677176-ad009f
Powered by Listbox: http://www.listbox.com