David Woodhouse wrote:
On Wed, 2004-09-15 at 09:52 -0400, Kevin Peuhkurinen wrote:
Add my name to those that disagree with you. I have "-all" in my SPF
records because I am confident that all legitmate business related
emails from my company will be sent from the servers specified in my SPF
records and none others.
Your confidence is misplaced. As an example -- if you ever send a mail
to the address 'dwmw2(_at_)infradead(_dot_)org', it's likely to get forwarded to
wherever I happen to be reading my mail at the time, such as an email
address at my current place of employment. Neither you nor the sysadmin
at the final destination may have any idea about the arrangement, which
is an established practice and which has worked for decades.
Breaking this so abruptly would constitute a flag day. Your naïveté
is a prime example of why such records should temporarily be prohibited,
until such time as the rest of the world has adjusted.
By immediately allowing the use of '-all' on domains which actually send
mail, we would promote discord and harm interoperability.
To be brutally honest, unless you are an executive or member of our
board of directors or an extremely important customer, I just don't care
that much from a business perspective if you don't get my email. I'm
not trying to put down your perspective any more than you are mine, but
looking at it from a purely business rather than a techie point of view,
it's just not my concern that you want to forward your mail AND have
your end receiver do SPF checks as well. I'm just telling the world
which servers are authorized to send email on behalf of my domains.
It's your receiver that's dropping the email and if you are unhappy
about not getting your mail, you should take it up with them.
Now, if you could convince me that a large portion of our business
contacts would have trouble with this, then I'd reconsider.
Otherwise, being in the banking industry, I am much more concerned
about stopping forgeries than I am about permitting online greeting
card emails.
Then you should be looking at a scheme which actually offers true
end-to-end verification of identity. You could start by PGP-signing your
output.
PGP signing my output would do next to nothing to stop phishing style
forgeries.