ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] What are the IPs that sends mail for a domain?

2009-06-30 05:56:16
from [Ian Eiloart] [Permanent Link]
--On 29 June 2009 13:36:00 -0400 Bill Cole <asrg3(_at_)billmail(_dot_)scconsult(_dot_)com> wrote: 




There is, actually. If you publish SPF records with a strong -all, then
recipients can easily decide to reject (not bounce) messages. Add DKIM
signatures, and they'll be able to tell when someone has forwarded your
legitimate email.


Do you have any evidence that this actually works to any detectable
degree?

I have solid proof that it is far from perfect, but I only have a handful
of addresses that ever had significant bogus bounce flow in the one
domain I could safely use in a SPF '-all' effectiveness test. The first 5
years of that test have shown a slow drop in the rate of bad bounces in
general offered to that domain, but it isn't much more proportionally
than the drop from a dribble to a trickle that I've seen for a domain
with no SPF record. The noise in my minuscule and weakly controlled data
makes it quantitatively worthless, but on a qualitative basis it makes
clear that strong SPF records are not yet a strong universal tool for
preventing blowback bounces.

If you are aware of SPF being any more useful than prayer at controlling
blowback, please share it.
Well, my claim is a theoretical one, and perhaps a hope for the future. It probably isn't yet effective. I do believe that it will be one day.
However, I do believe that people should take SPF records into account when deciding whether to generate bounce messages. It should not be a problem if there's a positive SPF or DKIM match. You shouldn't do it if there's an SPF fail. It's harder to decide what to do in the absence of SPF, or a neutral or softfail result.
I'd suggest that to drive up adoption of SPF, don't bounce for a neutral or softfail result (instead give a 5xx error), but (this will be controversial) feel free to bounce into domains that aren't trying to help - ie domains that don't publish SPF records at all. (ducks). 


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] VPNs, Alessandro Vesely
Next by Date:  Re: [Asrg] VPNs vs consent, Jose-Marcio Martins da Cruz
Previous by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Bill Cole
Next by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Rich Kulawiec
Indexes:  [Date] [Thread] [Top] [All Lists]