On Fri, 4 Jun 2004, Dave Lewis wrote:
I'm not sure what you mean by per user SPF records ?
One of the domains I host is the web site and mail server for a club. As
an incentive for paying annual dues, the club gives each dues-paying club
member a forwarding e-mail address. The members get no mailbox on the
server, but they get an e-mail address <somebody>@clubdomain.org.
I don't allow them (currently) to relay through (well, *submit* through)
the mail server. In the past they could just use their regular ISP and
configure their MUA with the club e-mail address.
AFAIKT, as I implement SPF on that domain, I will need to do one of the
following:
1. Give all the club members an identity of some sort on the mail server,
so that they can use SMTP AUTH and submit through port 587. (This is more
that the single virtusertable [sendmail] entry they currently have on the
server.)
2. Somehow identify the ISPs of all the club members (perhaps by looking
at the RHS of the virtusertable entries), and include some sort of entry
for each ISP in the SPF record. [Note: This would probably reduce the
security of SPF considerably, because then *anyone* from any of those ISPs
could use fake mail from addresses.]
3. Add a "per user" SPF record. (Does such a thing really exist?) [Note:
Any per-user SPF record I can imagine would post on the Internet (via DNS)
a whitelist of from addresses that could send e-mail--what more could a
spammer ask for?!!].
4. Tell the club that members can use the club e-mail address only in a
Reply-To header.
5. Quit offering the forwarding e-mail addresses to club members.
(BTW, I definitely plan to change the ?all in the club's SPF record to
-all at some point--assuming that I don't have to use XML. I just haven't
decided which of the above 5 options I will implement.)
--
Weldon Whipple
weldon(_at_)whipple(_dot_)org