Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mail.misc > #647

Opposition to RFC 7208 - SPF.

From "D. Stussy" <spam+newsgroups@bde-arc.ampr.org>
Newsgroups comp.mail.misc, comp.std.misc
Subject Opposition to RFC 7208 - SPF.
Date 2014-06-08 13:57 -0700
Message-ID <ln2inr$kr2$1@snarked.org> (permalink)

Cross-posted to 2 groups.

Show all headers | View raw

Here are my comments regarding RFC 7208.  They have also been sent to the 
RFC's author.  I am clearly opposed to this RFC becoming part of the 
Internet standards for mail for these reasons:

"TXT-RR's are meant for human-readable operations.  Although SPF has a 
human-readable form, it is mainly meant for machine processing, so its own 
RR-type was clearly appropriate.

"The fact that DNS suppliers (other than ISC's BIND) did not widely support 
it is not a design fault of the concept.  Furthermore, many people treated 
RFC 4408's "temporary" as "forever" -- clearly wrong.  RFC 4408 should have 
set forth an actual timetable for exclusive use of the SPF-RR type but did 
not.

"Furthermore, the "Received-SPF" header should have been completely removed 
in favor of the more generic (and later) "Authentication-Results" header 
(originally proposed in RFC 5451).

"Lastly, although valid syntax, there is no section giving consideration to 
CIDR masks of "/8" or fewer bits as an alternative to a final result 
mechanism of "+all" to authorize malicious mail from anywhere.  Spam and 
other malicious content are clearly a topic that should be addressed in the 
concept of mail source authentication."



I also re-state these reasons in my sites' policies as follows (in case 
something was missed above):

"This server checks for both a DNS SPF-RRtype and a TXT-RRtype for SPF 
declarations.  Records resolving as "pass" due to use of the "+all" 
mechanism are specifically rejected by policy, as are mechanisms with small 
value CIDR net masks (<8 bits).  All SPF rejections occur during the SMTP 
transaction (in the "MAIL FROM" stage).  Hosts which transmit mail without 
an accompanying SPF record to verify its source authenticity may be 
penalized in the system's scoring system.

"Domains served by this server guarantee only the DNS SPF-RRtype for their 
SPF declarations.  This is consistent with RFC 4408 (Section 3.1.1) as such 
was allocated and widely supported by software since 2006.  Use of TXT-RRs 
for SPF declarations have been deprecated for some time.  DNS support for 
the SPF-RRtype existed as of February 2006.  Messages are marked only with 
an "Authentication-Results" header (per RFC 7001).

"RFC 7208:  This RFC is specifically rejected by this site as an example of 
bad practice and shall not be followed.  Its conclusions, especially section 
3.1, are clearly erroneous and counter to the intent of well established DNS 
standards, especially those first disclosed in RFC 1035 (Section 3.3.14). 
As such, this site will continue to publish only the SPF-RR-type and 
reserves the right to discontinue use of the TXT-RR-type.  Such an approach 
eliminates the problem in RFC 7208, Section 3 of multiple unrelated records 
for other purposes being returned (as may happen for TXT-RRs)."


For these reasons, I ask the Internet community at large to REJECT RFC 7208, 
especially where it removes the SPF-RR-type from the DNS specification.

Back to comp.mail.misc | Previous | NextNext in thread | Find similar

Thread

Opposition to RFC 7208 - SPF. "D. Stussy" <spam+newsgroups@bde-arc.ampr.org> - 2014-06-08 13:57 -0700
  Re: Opposition to RFC 7208 - SPF. Spam Guy <"Spam"@ Guy. com> - 2014-06-14 09:35 -0400
    Re: Opposition to RFC 7208 - SPF. "D. Stussy" <spam+newsgroups@bde-arc.ampr.org> - 2014-06-14 23:53 -0700
      Re: Opposition to RFC 7208 - SPF. Spam Guy <"Spam"@Guy. com> - 2014-06-16 15:23 -0400

csiph-web