Paul Robinson wrote:
The reference implementation of SPF (the perl Mail::SPF::Query module) has a
mode of operation where mail from hosts that are listed as MXes for a
recipient's domain is allowed through (on the basis that SPF checking will
have been done on that MX).
The other implementations will no doubt have similar functionality because
obviously it's a big problem otherwise.
But that's still a problem. You've removed the admin overhead, but I now have a
trust relationship implicit in the MX records for the domain. I suppose
ultimately this means that I end up trusting the backup MX in the same way I do
for any host sending mail for a non-SPF protected domain. I'm not entirely sure
how I feel about this, but to me it looks like a hole to get through SPF that
spammers are going to target, especially when there are backup MX services out
there handling mail for tens of thousands of domains.
Remember that you're only trusting the MX hosts for a mail domain that you are
hosting (so you must already have some trust level for that domain), and only
then for mail for a recipient in that domain. There's no trust relationship
for that MX for recipients in any other domain.
Remember also that SPF is not really an anti-spam technology in the first
place, and there are many ways for spammers to get around it, e.g. by spoofing
a domain that doesn't have an SPF record. If all the MXes for a domain do SPF
checks, then the spammer can't gain an advantage by choosing the secondary MX
anyway.
Regards, Paul.