"Then why rely on consumer level services? If email is that important, then
why not run your own MTA, which may be multi-homed for redundancy?
Then your domain's SPF record can list the IP addresses for your own MTA and
you never need to worry about your providers MTAs or their SPF records. If
email is important to your business, then presumably being confident that
your domain isn't being used by someone other than you is also important."
I did this for a few years. Then the $#^%$# backlists started reporting my
IP as dynamic. Much of my outbound email was being blocked. I now must use
an external MTA. It sucks!!!! At the time Comcast did not offer static IP
addresses. In fact, finding someone within Comcast that understood "static
IP address" was a challenge. As far as I know, they still don't do static
IP addresses. If they do, the cost would be too much.
BTW, my IP address only changes about every 9 months or so.
I have no problems receiving email directly. I do have up to 3 days of
problems when my IP changes!
Also, Comcast has no SPF record. Finding the list of mail servers was a
pain, I had help from other people on this list. At the time we came up
with 9 mail servers. Using "include" would be so much nicer!
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Andy
Sent: Friday, March 18, 2005 2:01 PM
Subject: RE: [spf-discuss] RE: rr.com and SPF records
On Fri, 2005-03-18 at 11:52, Scott Kitterman wrote:
To the extent that ESP has 100% uptime, you are right. I currently list 3
companies mail servers in my record...
1. My ESP - I use this when connecting on the road and also if I can't
through using my DSL/Cable provider's MTA.
2. DSL Provider's MTA - My primary.
3. Cable company's MTA - I have a cable modem for backup connectivity, so
list their MTA for when I connect that way. (BTA, this is Comcast and I
asked. They are clueless beyond belief).
Why not submit your email to your ESP all the time? Any Email Service
Provider has to be more receptive than a general provider like Comcast
to providing services like SMTP AUTH and submission on port 587. Last
time it was mentioned here, no one could find a provider who was
blocking port 587, and even if you could, an ESP should be willing to
let you submit on a different port and over SSL so you can use the
specific service they are providing you, since you are, presumably,
paying for it.
A system is only as strong as its weakest link. Using big consumer
grade services that everyone and their dog uses, like Comcast, to send
your email doesn't actually help a domain forgery situation. Unless
Comcast would do something to prevent cross-customer forgery (and if
they are clueless about using the submission port, they are most likely
clueless about avoiding cross-customer forgery also), listing them in
your domain's SPF record does not get you significantly close to a
strong forgery avoidance system.
You may believe that I don't need all this redundancy, but I do.
Then why rely on consumer level services? If email is that important,
then why not run your own MTA, which may be multi-homed for redundancy?
Then your domain's SPF record can list the IP addresses for your own MTA
and you never need to worry about your providers MTAs or their SPF
records. If email is important to your business, then presumably being
confident that your domain isn't being used by someone other than you is
If I'm not
doing e-mail, I'm pretty much out of business.
If your ESP is not close to 100% reliable, then how are you receiving
email as reliably as you are able to send it? Do you only send email?
Or do your customers have to send to your address
@email-service-provider.com, @dsl-provider.com and @comcast.com in case
one of them happen to be out?
If not being forged isn't important to you or your business, then don't
publish SPF records.
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
please go to