On Thu, 7 Jul 2005, David Woodhouse wrote:
I don't know where they'll be forwarding mail from -- my only option
would be to force all of them to continually maintain a list of IP
addresses for their own whitelist, which would be a large technical
challenge for me and a time-consuming ongoing task for them.
You do have to force them to maintain a list. But it doesn't have
to be IP addresses. They only need to list forwarder domains. Use SPF
to translate the domains to IP addresses. Even if the forwarder
doesn't publish SPF, a "best guess" record will usually work. And
you can provide a local substitute.
For instance, if a forwarder has no SPF record, but sends from
smtpN.joesforwarding.com for many N, you could supply a local
SPF record of "v=spf1 ptr -all" for joesforwarding.com.
I provide local SPF records to all the MTAs I administer via DNS.
When there is no SPF record for example.com, I then lookup
example.com._spf.mydomain.com, and put all the local SPF
records in _spf.mydomain.com.
This provides a superior and flexible form of whitelisting - very
useful even if *nobody* actually published SPF!
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.