Andrew Church <achurch(_at_)achurch(_dot_)org>
Some legitimate mail, because all mail-blocking schemes do.
Can you give me an example?
Why? Mistakes happen, we all know that.
My primary goal with this RR is not to block spam per se, but to allow
domain owners to prevent mail with forged headers (usually, but not
necessarily, spam) containing their domain name from being sent. In other
words, I want to keep Joe Spammer from using openrelay.example.com to send
mail that appears to be from achurch.org. Thus, all I need is support in
SMTP clients; if clueless sites don't want to add MS RRs, their loss (but
not mine).
Here's a scenario where that breaks, modelled on something that happened
to me last month.
I work at the small $city_name office of a company with many locations
throughout the world. One day my IP connectivity to the main office is
broken, but I can talk to most of the world. No problemo, I just
comment out the "smarthost" stuff in my server's sendmail.cf and see
that my outgoing mail works again.
Next day the main office is back on the net, but but I forget to
reenable the smarthost setting, and noone discovers it until the main
office, confident that everyone's using the central smarthost, adds an
MS RR and some of my mail starts bouncing.
Or a variation:
I work at the ... and I see that my mail apparently works again.
Because on that day, nothing in the mail queue went to an MS-testing
site and I wasn't aware that the main office had added an MS RR.
I then forget about it. Months later I discover that an important
customer has been MS-testing and silently discarding mail.
--Arnt