ietf-mxcomp
[Top] [All Lists]

Re: How is SPF different from RMX?

2004-08-02 00:37:58

Le lundi 2 Août 2004 08:25, Dean Anderson a écrit :

Ok. Lets take a likely scenario:  There are roughly 30000 ISPs in the
world. Lets suppose that either for good business or for anti-trust
requirements, they all have to all allow their customers to outsource
parts of their email system to the other ISPs.  So, each ISP has to allow
the servers for each other ISP to send "from:" its domain.

Really ? So there is no point at all publishing SPF records or Sender-ID 
records or whatever for them, except for publishing the list of their own 
servers maybe, so their own servers would get a "pass" and others a 
"neutral". But this basically allows the planet to forge MAIL FROM bearing 
their domain name.

If they do publish an SPF record, it should look more or less like the current 
AOL SPF record:

aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 
ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 
ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"

However, when most domains will publish more restrictive SPF records, these 
permissive domains will become the preferred source for email forgeries, so 
many sysadmins will setup local policies submitting MAIL FROM permissive 
domains to extra and extreme antispam checks, or treating a "neutral" as a 
"fail" for aol.com for example. This is surely what I will do myself.

We can expect these permissive domains to shift progressively from "?all" to 
"~all", then "-all"

-- 
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E