For senders that are on its whitelist, AOL reverse engineers the IP
addresses to whitelist from the sender's SPF records, which is way
easier all around than the former mostly manual system.
Since S-ID falls back to SPF records, most senders just publish one set of
SPF records for both. Note that neither of these are using SPF for its
nominal purpose; I'm not aware of any large system that does.
They're using it for whitelisting purposes instead of its nominal purpose?
That's exactly what I'm discussing.
Every once in a while, AOL fetches the SPF records for senders in
their whitelist, crunches them to get a set of IP addresses, and then
puts those IP addresses into their whitelist. AOL's whitelisting
process is based on IPs, with the SPF bit merely being a cheap way for
senders to tell AOL what IPs they use. They do not use SPF
per-message, nor as far as I can tell do they make any attempt to
match up the bounce address on incoming mail to the domain from which
they got the IP in the whitelist.
I think SPF has a bad reputation in some quarters because people
think of how it breaks forwarding (etc).
It could be somewhat useful for whitelisting some kinds of mail. Too
bad it's been so egregiously oversold.
R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg