Bruce Lilly wrote:
SPF and SPF-like schemes impose an additional necessary
condition:
the ISP's MTA must work 100.00000% of the time
Not necesarily. If you have your own domain (or a small
domain shared by 15 users as in your example), then you
can permit the IPs of several mail providers.
In the most simple case you have providers A, B. C with
policies and "v=spf1 include:A include:B include:C -all".
If C doesn't offer a SPF policy for inclusion you could
still try to guess the CIDR(s) used by its mailouts, or
again in the most simple case you just know what C does:
"v=spf1 include:A include:B mx:C a:mailout.C -all"
In the presence of schemes which thwart such work-arounds
by forcing traffic through a choke point, that choke point
needs to work perfectly, no matter what
Admittedly I'm a user with a single choke point. OTOH it's
what I wanted and proposed ;-) Catch-all vanity domains are
a really nice idea, but less so if they are forged.
SPF also allows to create per-user policies, but that's a
premium service not available at my ISP.
The reality is, even before SPF I needed more than one mail
provider to bypass problems like dubious black listings.
And I have mailboxes at both A and B. So when I now have a
problem with A I simply send the mail via B, just using the
corresponding MAIL FROM:<my(_dot_)B(_dot_)address(_at_)B(_dot_)example>
Anything else (2822-From my(_dot_)A(_dot_)address(_at_)A(_dot_)example)
unmodified.
No big deal.
JFTR, it won't work this way with SenderID PRA, but that's a
very different scheme, only the spf2.0/pra syntax is similar.
Bye, Frank