OT: What is "SPF" ?

[Tom Anderson]

From: "Matthias Andree" <matthias.andree at gmx.de>
> SPF is lobbied (not to say bullied) onto people for various purposes, to
> prevent address forgery (untrue), spam (untrue) and all that. The uses

Ok, I can see that caution is warranted when anything is lobbied by special
interests.  However, SPF appears to be the very thing that administrators
have been asking for... a way to establish the authority of a sending server
to represent a given address.  As I mentioned before, there have been
schemes to do this using MX or doing a reverse lookup, however this is not
always accurate due to virtual hosting and multiple servers on a domain.
SPF addresses this.  It's true that with SPF, address forgery can still
occur, but only by someone on the same domain, or one shared on the same
server.  Eg., an AOL member can forge the address of another AOL member, but
not a Yahoo member.  This is a step in the right direction.  You can
eliminate a lot of spam that way, or at least a spamming tactic anyway.  And
making it harder for spammers to spam ought to reduce the number of spammers
who think it is worthwhile to do so.  Moreover, it should become easier for
ISPs to identify the actual source and prosecute if necessary and possible.

> for which SPF is suggested will break mail forwards - with these, a
> server re-sends a mail with the original envelope sender, which SPF will
> flag as unauthorized.

Ok, I was thinking of a user forwarding manually, not an envelope forward.
I can see the point here.  However, doesn't such forwarding only occur by
manually setting this up?  Eg. have my home server forward all mail to work.
In this case, you could simply add the forwarding server to the SPF record.
Is there ever anonymous forwarding by unknown servers?

> It is true the admin is allowed to set the policy, but the way how SPF
> lobbyists and also blacklists lobbyists have acted in the past will
> warrant for insensible decisions on the majority of sites.

This would be something that admins would need to be accountable for.  It is
not a mark against SPF.  If their users' mail gets dropped, it's something
they will need to address via their SPF policy.  This is true of all
tools... potential for using them incorrectly does not reduce their
usefulness when using them correctly.  An over-zealous admin cannot block
incoming mail with SPF though, only set the policy for outgoing mail and
identifying forgeries of their domain.  Therefore, insensible decisions only
affect their own domain.  They can make it so that mail from their domain is
never accepted anywhere (or at least anywhere that queries their SPF
settings), and this may be a good thing, particularly if they don't have a
mail server on a given domain.

> ...thus breaking every form of properly (democratically) used anonymity.
>
> Unfortunately, anonymity and pseudonymity is abused/exploited in the
> internet for one's own personal economical advantage (which is the
> motive that needs to be attacked), to show off security flaws and
> carelessness (mass-mailing worms) and to some amount for stalking
> (forged sender in embarrassing posts).

Anonymity can be useful when it comes to things like voting and speaking on
unpopular matters.  However, there are places for that, and places where
that is not so useful.  Online, polls and discussion fora can enforce
anonymity and provide such a place.  In the physical world, voting booths
accomplish this.  But anonymity is not a right.  Privacy is a right, but not
anonymity.  You have a right to unplug your internet connection and keep
everything on your computer and everything in your house completely to
yourself.  You do not, however, have a right to slander or harm people, or
otherwise violate others' rights.  And to protect us from this, we have a
right to know who is acting upon us.  Not just in the legal sense, but also
in the social sense.  Mail or email simply cannot work if the recipients of
messages are so scared or inconvenienced to open their mailboxes that they
refuse to do so.  We are getting to this point.  People are giving up on
using email at all anymore.  I know individuals who have stopped checking
their inbox because there's just too much stuff in there.  So they hit their
quota and everything new gets dropped.  Anonymity will kill email.  And it
serves no useful purpose.  Why, except to deceive me, would you want to send
me something anonymously?

I don't know from where you hail, but in the U.S. Constitution, the 4th
Amendment protects a citizen's right to privacy, while the 6th Amendment
protects a citizen _against_ anonymity.

> SPF helps with not a single of these problems, because it inherently
> breaks forwards and hence make internet email on SMTP basis even more
> unreliable than it already is.

Is such forwarding truly broken, and is it a function of SMTP in the first
place?  Either way, SPF is a tool.  You can choose to use it or choose not
to.  If your desired functionality is broken by it, then don't set an SPF
policy, or else set it to always accept.  No harm done.

Tom