On Tue, 2005-07-05 at 08:57 -0400, Stuart D. Gathman wrote:
This is FUD and simply not true. SRS is only one possible tool to
help mail receivers deal with their own forwarding, when they have set up
a large and uncontrolled pool of forwarders (an ISP where users
set up forwarders without consulting the mail admin, for example).
It is *not* required, and securing your mail network is always the
preferred solution.
Any mail system of more than negligible size will have its users
forwarding mail from a large and uncontrolled pool of forwarders. The
admin would have to force its users to either keep track of those
forwarders for it, or risk losing their mail.
Keeping track of forwarders is a hard problem even when it's limited to
a few users and a few forwarding domains. The user would be expected to
know the IP addresses which may be used for _outgoing_ mail by each of
the mail hosts which is part of the forwarding domain, and would be
expected to monitor that list and maintain it constantly.
If the address dwmw2(_at_)cam(_dot_)ac(_dot_)uk were still forwarded to me, for
example,
then I'd need to keep a constant check on which were MX hosts for
cam.ac.uk and which outgoing addresses (IPv4 and IPv6) they might use
for outgoing mail. I may not have any way of _knowing_ that from the
outside, and of course the public-facing MX hosts may not actually be
the hosts which process the aliases and then forward the mail to
external systems.
Requiring that users do that kind of detective work would pose a _large_
challenge, both technical and political, to any mail system operator --
and I see no evidence of any large ISP undertaking it.
The alternative is to rely on the world at large to implement SRS. And I
don't see much evidence of that catching on either.
Thus, SPF remains dead in the water.
The second statement is patently false. If you don't want to deal
with your forwarding mess, simply don't check SPF, or don't reject on fail.
End of story. You can still publish SPF, SPF still works great for
those who are fully participating.
I cannot publish SPF (with -all) today because I know there are
recipients out there who would reject valid mail after it's been
forwarded. To publish '-all' would be saying that no valid mail from my
users would ever come from IP addresses other than my own, and I _know_
that to be false, because SRS isn't ubiquitous.
I cannot reject for failure today because I know I cannot feasibly keep
track of all the various hosts which may forward mail to my servers, and
I _know_ that there'll be false rejections because SRS isn't ubiquitous.
SPF only 'works great' if you don't mind throwing the baby out with the
bathwater. I'm sure there are people at verizon who claim that blocking
all non-US IP addresses 'works great' too. And there are ex-customers
who disagree. Go figure.
--
dwmw2