Rand Wacker <rand(_at_)sendmail(_dot_)com> writes:
Large Bank has quite a bit of customer email delivered by a third party.
This third party delivers mail with a bounce address (MAIL FROM) of
outsource.com (so they can do the bounce processing), but a From: header
of largebank.com. Large ISP will only whitelist largebank.com (because
that is who the ISP/Bank customers want to hear from, they don't care
about hearing from outsource.com).
And prior to Sender-ID being published, a recipient looking at the
headers will see that the mail was not sent from largebank.com and at
least some of them might discard the email as not genuine - especially
as phishing is so rife at the moment. If instead of this they were to
create a sub-domain 'outsource.largebank.com' for outsource.com to use
and set up the DNS for that sub-domain to point to outsource.com's
servers then both SPF1 would work *and* customers examining the
headers would see that it comes from a host within largebank.com and
would therefore put more trust in the authenticity of the emails.
As I have said before, organisations like largebank.com who use third
party domains in their emails are making life easier for phishers. If
customers see genuine emails sent from third party domains, they are
less likely to suspect the forged emails sent by phishers.