In <20050131173705(_dot_)8601516CC4(_at_)mail(_dot_)nitros9(_dot_)org> "Alan
DeKok" <aland(_at_)ox(_dot_)org> writes:
Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
There is no means to know which recipient may be using a forwarded
account.
Yup. Likewise, there's no way to know who on the net will be
sending spam forged to be "from" your domain.
If the sending domain uses SES, then it can detect the forwarder
situation and not cause an SPF failure. (This can also be used for
roaming users.) The cost is an extra DNS lookup.
The receiving MTA can know if email is being sent through a
forwarder. For example, the user can tell the system via a whitelist
request. Spamassassin's auto-whitelists will automatically help out a
great deal because it detects the overall spamminess of the forwarder and
that will be enough to override the SPF failures.
Better systems could be built to automatically detect forwarders by
looking to see source usually fails the 2821.MAILFROM SPF check, but
usually passes when the 2822.To: (or cc:) gets an SPF check done on
it.
This is not to say SPF is perfect. Other methods do much of what
SPF does, without it's problems.
I certainly agree that SPF is not perfect. I am, however, curious
which systems you think do much better than SPF and what data you have
to back up that opinion. So far, I haven't found any data to back
that claim.
-wayne