On Fri, Feb 20, 2004 at 03:09:56PM +0000, Brian Candler wrote:
| > If this becomes a problem, maybe the ISP's smarthost shouldn't be
| > accepting mail that doesn't appear to come from an email account provided
| > by the ISP.
|
| Perhaps; if ISPs did this, and blocked port 25 to force traffic through
| smarthosts, there would be no need for SPF. You could also make a strong
| case that all ISP users should authenticate using SMTP AUTH, so that you can
| validate exactly who the user is.
|
| But it would be a big change to established practices and would break lots
| of people:
|
| (1) I send outgoing mail From: B(_dot_)Candler(_at_)pobox(_dot_)com, even
though that's not
| my ISP's domain
| (2) Several users in one household may send all their outgoing messages in
| a single SMTP connection to the smarthost
| (3) Users have vanity domains
| (4) Mail servers handling multiple vanity domains, but behind a dial-up
| connection, currently use a single local smarthost to send outgoing mail. If
| they had to make different connections to different smarthosts (each with
| different SMTP AUTH credentials), based on the domain of the return path for
| each message, that would be a royal pain in the a***.
Brian, shortly before you joined the list I posted a scenario:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200401/1505.html
The ASTA and ASRG are working on a BCP that describes some elements of
the above. I would expect to see it published in the I-D archive by the
end of March.
Point number 7 addresses the problem case you raise.
Also, in the next few weeks we will offer per-user SPF records so you
can set up the appropriate SPF record for B(_dot_)Candler(_at_)pobox(_dot_)com
if you
prefer not to use our smtp server for outbound mail.
cheers
meng