[secdir] draft-ietf-spfbis-4408bis-14

Phillip Hallam-Baker <hallam@gmail.com> Fri, 26 April 2013 16:58 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C714121F99BE; Fri, 26 Apr 2013 09:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id liQ+kxeTMhFU; Fri, 26 Apr 2013 09:58:50 -0700 (PDT)
Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id A050521F99C5; Fri, 26 Apr 2013 09:58:49 -0700 (PDT)
Received: by mail-we0-f178.google.com with SMTP id t11so555185wey.9 for <multiple recipients>; Fri, 26 Apr 2013 09:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=qi+INK0B8Dqg4bCusedTxQ0g7jYzw6xId35rZ1TuZnk=; b=Nq4owlvKWSRVbK84iExMU8yq7ZBdOT4w0zi8RhHseNGSpT3C1rMNvTsNK9krIFNrmJ BWPmLjoYsxEgGFN3o/zP0MwD6H5vPJOt3SGs5NT2vbhnQ5Fwp8IFfDKDAve8CtGbacXq OrBhD8Qe3yvrpY03/WJs1cvGlFU4mZwA4Iou5bpjF0byuGr5wOiEcfenRPnI32ND6KBn uVWTF4IsI8MV0O9SRDNyAXaEQfxSXEEy8NMgqpc2d7dQH2R7ghdaEVnWt+qz2mtntce8 C6GgbyzcaKCQn/Vjp9NiGqPZQckK5N3mWiAvxuiuTsk790N4xVQf6mDQvc7GH+/9siaI 1CUQ==
MIME-Version: 1.0
X-Received: by with SMTP id bn4mr29091899wjc.20.1366995528813; Fri, 26 Apr 2013 09:58:48 -0700 (PDT)
Received: by with HTTP; Fri, 26 Apr 2013 09:58:48 -0700 (PDT)
Date: Fri, 26 Apr 2013 12:58:48 -0400
Message-ID: <CAMm+LwjoH77H9cRQseQF09rDLwjtViZW_tGp71v0-WaZujoYtA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-spfbis-4408bis.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary=089e0122e8dce7948204db467214
Subject: [secdir] draft-ietf-spfbis-4408bis-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 16:58:50 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The document is clear and describes the SPF mechanism effectively. The only
quibble that I could find is that repeated mentions are made of limiting
the number of 'DNS queries' without specifying whether these are individual
queries or recursive. The count will come out rather differently if looking
up TXT/x.example.com counts as one lookup or three. I think it is
reasonably clear that this is one but could not find an explicit statement
to that effect.

On the security side, the document addresses all the mail issues that I can
remember at this point and rather more besides.

I think we have reached the point of diminishing returns.

The document provides a clear enough warning to people configuring SPF
records as to the consequences of getting it wrong which is the main
concern. The filtering services will know their business well enough to
minimize false positives.

Hopefully the email infrastructure will evolve over time towards
concentrating on the more policy friendly approaches and it will be
possible to simplify the mechanism at a future date.

Website: http://hallambaker.com/