Re: [dmarc-ietf] Should we encourage the use of SPF "soft include" for common platforms?

Sun, 24 Feb 2019 11:20:11 -0800 

On 2/23/2019 2:56 PM, Kurt Andersen (b) wrote:


On Sat, Feb 23, 2019 at 11:00 AM Hector Santos wrote:


Unless the conditions were limited to when this can be applied, I can
see where this can become really complex because of higher recursion
potentials.   You also have compatibility concerns as well.



I think that the biggest problem with nested includes (I'm intentionally
avoiding the "recursion" term because it should not be recursive or
circular) is the table in RFC7208 section 5.2 which asserts that a neutral
result from check_host ends up being treated as a "not-match" condition.
The way I read that is that if d1.example has ?include:d2.example which in
turn has a ?include:d3.example, then a check_host match on the d3.example
record would not end up percolating up to d1.example as a neutral final
result.


+1
One question is, can each nested domain SPF record stand on its own, independent of its administrative domain's INCLUDE assertion to relax a potential hard pass/fail result to a relaxed neutral/softfail? In other words, if d1 includes d2 which includes d3, it is possible to see d2 or d3 directly via a direct return path domain reference?
I think it continues to be an organizational issue, in particular when SPF network gets larger it is easier to see the complexities especially when augmenting SPF with additional protocols, i.e. DMARC.
It is also local policy with SPF trust considerations. For example, in our SPF parser, it has the following local policy options: 

; SPF can return low trust results. A pass means the sender has
; a valid SPF record and is accepted. Softfail and Neutral means
; no match is found but rejection is not automatic.  Setting a
; true accept can provide a loop for potential spoofers who have
; SPF records and think they will allow them in.  The options
; below allow you to control this.

Accept-SPF-Pass      True            ; if false, continue testing
Accept-SPF-SoftFail  False           ; if false, continue testing
Accept-SPF-Neutral   False           ; if false, continue testing
In our case, continue testing means to "pass the buck" to the next real-time AVS filter to see what it can find. Out of the box, it is a pass for Accept-SPF-PASS results which means SPF compliant "bad guys" with matching IPs get a pass. 


--
HLS


_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to