Hi,
On Fri, Jun 04, 2004 at 11:09:14AM +0100, Paul Robinson wrote:
The only way I can see of getting around this is to implicitly trust
mx2.example.com and do not do any SPF checking at all from this server. This
Correct.
has several major problems:
- I have to update my mail config every time I change the MX for a zone,
sometimes at a customer's request
- I have to implicitly trust third-party MXes and blindly allow any mail from
them, which kind of negates the point of SPF
Well, you already trust those mx'es not to read your mail while it's being
spooled for delivery to your primary once it comes back online. If they have
implemented SPF and you trust them to not read your mail, can't you also trust
them not to send you forged email?
- Some of these backup MX boxes are operated by companies offering backup MX
to
hundreds if not thousands, of domains. They become a target for
hackers/spammers
I, for one, would never use a backup mx that is not under my control, for the
reasons above. Why allow someone that you don't trust access to your private
email?
- My customer's outbound e-mail may get caught up into a backup MX "hole" and
get rejected because the admin at the other end forgot to update his mail
config to handle this
I don't quite get this point (maybe the heat in here).
Koen
--
http://www.sonologic.nl/