On Apr 21, 2004, at 10:38 PM, David Woodhouse wrote:
On Wed, 2004-04-21 at 18:52 -0400, Stuart D. Gathman wrote:
Naturally, mail with an SPF enabled from domain gets bounced by an
SPF checking MTA (mine). The bounce has a nice link to the why.html
page,
and was properly delivered to the from address, but the user was
still confused.
Especially after they forwarded the bounced message from home several
days
later and it arrived with no problems. Naturally they felt jipped.
The sender felt it was the hospitals fault (because it worked from
home).
The recipient felt is was the fault of SPF, and got angry when I
tried to
explain how it works.
The recipient is right to be angry if legitimate mail is being bounced
by your unilaterally applied policies. I just hope they aren't _paying_
you for this 'service'.
That's one way to look at it. The only way to get an SPF fail is if
the senders domain explicitly forbid sending mail from that place they
attempted to do so (likely by ending their SPF record with -all). The
domain specifically instructed the receiving domain to _not_ receive
the mail. Regardless if your users are paying for the service or not,
you have a responsibility to respect the SPF record. Otherwise, what's
the point of of publishing SPF records with strict failure conditions?
Instead, those sending domains should publish a ?all.
By "you have a responsibility" I mean if you are going to implement SPF
at all, you have responsibility to respect the policies that are
published by domains -- otherwise, what's the point?
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth