Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> writes:
It would seem the best solution for MTA servers sharing multiple domains
would be to NOT publish any SPF or Sender-ID records. This would
protect clients that might be harmed by repudiation services. I have
yet to see such cautionary statements about publishing records when
clients share common servers of differing domains.
Although SPF could help reduce some of the spoof address bounces,
Sender-ID will not. Neither SPF nor Sender-ID allows an effective means
to abate abuse. Transparent redirection of the SMTP protocol does this
effectively however. If the trade-off is for less spam or fewer options
of which email address someone may use, I'll opt for less spam. It is
folly to insist all mail servers will map on a one-to-one basis to
domains just to suit Sender-ID repudiations.
When an MTA serves multiple domains, either all of the email is
originated on the MTA and all of the domains are under common
ownership - which is possible but I suspect uncommon. In which case
the problem is internal to the running of that system and outside the
scope of this WG. Or, the emails are passed to the MTA, or MSA on the
same system, by SMTP clients on other systems. Therefore, could (and
should not) the shared MTA perform checks to ensure that the
submitting system is authorised to send mail for the domain in the PRA
of submitted email. Could the shared MTA not set up a 'private'
(internal either to the MTA or to the origanisation running the MTA)
DNS containing SPF, Sender-id or Domain-key records to indicate which
systems are authorised to submit email (to the shared MTA) on behalf
of each domain? Or, even easier especially where mail is submitted
from dynamic IP addresses, require SMTP AUTH and have a separate
authorisation 'user' for each domain.