On Tue, 5 Jul 2005, David Woodhouse wrote:
Humour me... assume I were to set up a forwarding address
stuart(_at_)infradead(_dot_)org which was forwarded to you. What IP addresses
would
you list for it?
I wouldn't list any - and I would reject or discard email to it. Properly so,
since I didn't authorize any such forward. I already gets tons of crap
from mailing lists that don't check SPF, but keep sending me "confirmation"
emails from forged "subscription requests".
Or suppose you bought a domain from (...googles...)
http://www.yourdomainhost.com/ and used their email forwarding service.
What IP addresses would you list for _that_?
I would only purchase a forwarding service that at a minimum publishes
SPF with -all so that I would not have to list IPs. If the forwarding
service does not implement SRS, then I would simply use their SPF record
to whitelist the forward:
If RCPT TO == forward target and SPF fail, then
replace MAIL FROM with forwarded alias,
accept mail if that passes
Forget about the big picture for a second, and just think of SPF as
a way to publish what IPs you send mail from. Makes answering
the question "what IP addresses" easy!
The disagreement is whether giant ISPs not rejecting on SPF fail
renders SPF "useless".
And that decision obviously differs according to your understanding of
'giant' above. By my reckoning, the answer would be a resounding 'yes'.
Partly because so few people can safely actually reject mail due to SPF
failures, but mostly due to the point you make yourself...
Frankly, as long as the giant ISP sends real RFC compliant DSNs (with
empty mail from) that my SRS/SES/BATV encoding can ignore, it is their
problem, and I couldn't care less.
Right. You don't care if the largest mail providers aren't using SPF,
because there are viable alternatives which _do_ work properly in the
real world and provide largely the same benefits which SPF purports to
offer. So it doesn't matter that many people can't use SPF.
No, I couldn't care less because I don't usually need to correspond with
people on ISPs that have no control over their forwards. People and companies
with serious business to conduct via email generally have their own domain,
which they keep secured if they are competent, and SPF works just fine
for us.
A company (as opposed to a large public ISP with generic mailboxes like
AOL) that can't keep track of which aliases they've given to their customers
and vendors to contact them has very serious problems quite apart from SPF.
It is the ISPs problem that they can't reject forgeries using SPF thanks
to their loose aliasing policies. That means they have more crud to deal with
using other methods (e.g. AOL track IP reputation using user feedback).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.