On Sat, 2004-04-24 at 20:21 -0400, PARIS wrote:
What happens if a person uses his business internet connection to send
email using his hotmail return address. Thus he will be sending
legitimate mail but from the business IP which of course is not
listed. So according to the DOC. THe message will be bounced.
You are correct.
That message which you (reasonably) call 'legitimate' is declared by the
SPF proponents to be illegitimate, because it should in their eyes have
been submitted via SMTP AUTH via hotmail's servers -- perhaps over the
MSA port since so many dialup providers firewall port 25.
Basically, SPF does not work with today's email system -- it requires
everyone to start using SMTP AUTH (even when it's firewalled), and it
also requires some even more convoluted behaviour when forwarding email.
Only then does it work without any false positives such as the one you
pointed out.
If you want to deploy SPF on a production machine then I would suggest
that you should wait until the new RFC replacing RFC2821 is released,
standardising these changes which are required by all mail hosts.
Then wait another few years until compliance with that is ubiquitous,
and _then_ consider whether you can start to use SPF.
--
dwmw2