Kjetil Torgrim Homme wrote:
SPF authorises an IP-address to use a domain.
[...]
SPF offers no protection against abuse from the entities
sharing your server.
Yes, for that you would need "enforced submission rights"
as specified in RfC 2476(bis) option 6.1, or your own MTA.
The spec. is rather clear about this issue (chapter 10.4).
take your business elsewhere -- but it won't help. the
reputation is tied to your domain name. the only solution
is to plea with others, to wait, or to switch domain name.
If you're worried about this problem you can use the "?"
(NEUTRAL) qualifier, and still have "-" (FAIL) for the rest
of the world.
it does require at least one IP address per entity wanting
distinct reputation.
No, that's not the case. And for the HELO-part of SPF it's
very similar to what you said about CSV, for simple policies
mta.example.com. IN SPF "v=spf1 a -all"
CSV is unrelated to forgeries, it's a solid base to reputation
systems - with SPF hoping that MTAs really limit themselves to
simple HELO-policies is shaky (but not impossible).
DKIM has a problem with forgeries, you've to declare that you
_always_ sign your headers. SPF is in theory more flexible:
You only need to know the IPs. In fact excluding the worst
offenders with "-" (FAIL) and use "?" (NEUTRAL) for the rest
of the world could also help. I've not tested this approach,
I have a classic no-nonsense CIDR-based PASS or FAIL policy,
the original RMX idea, no special SPF-features. Bye, Frank