On 6/15/2004 1:58 PM, John Levine wrote:
Re SPF, I know about the SPF publishing wizard, and I've seen a couple
of libraries that decode SPF data, but how many people have actually
plugged them into their MTAs to see what happens?
I did for a while (not doing so today, but that's incidental with
infrastructure issues).
SPF is useful when [1] there is a record, and [2] the mail comes from a
source that is clearly unauthorized for the associated domain. It is not
particularly useful in any other combination. For example, you cannot
*reliably* interpret the lack of a record as meaning anything, since many
organizations (including some of my big customers) will send mail from an
account in a division-specific domain, but will use a server in a parent
or sibling domain for relay purposes. Meanwhile, the mere existence of a
record and the use of an authorized server doesn't tell you much either,
since spammers can create records that point to their servers too.
So all in all, the subset of messages that meet the criteria are small,
but this is primarily due to the relatively small number of domains that
have records. I don't actually think that this will change much, since
even while more domains may get records, spammers will either use other
domains or will setup their own records.
But the whole value proposition of SPF and similar efforts is that I can
prevent *MY* domain from being used in various forgeries, so in that
regard it is still useful.
On the other hand, the cost of operating a server goes up somewhat due to
the increased query load, the fact that synchronous blocking lowers the
number of transfers per day that my machinery can handle, etc., while the
benefits mostly flow to other people.
SPF is worth publishing, but the value for checking is marginal and will
probably stay that way.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/