On Jun 21, 2004, at 9:36 PM, Sivakumar Sathyamurthy ( InfoSec)- CTD,
Chennai wrote:
1) Mechanism to be used for rejecting mails from domains with no SPF
records.
Please make sure that you understand that there is a big difference
between mail from domains with no SPF records, and mail which fails an
SPF test. Rejecting on the fails makes sense. Rejecting on a result
of "none" strikes me as something that only very peculiar sites with
very unusual needs should ever consider.
You do not say what your mail system is, so it is impossible to provide
mechanisms.
Generally speaking, there are three ways of doing it.
(1) Rejecting very early (after MAIL FROM). This would take
configuring or modifying the SPF tools that you've set up for your MTA.
(2) Rejecting after DATA. This could be done by using one of the many
sitewide
filtering systems out there, and add a rule to reject on
Received-SPF: none.
(3) User filters, keying off of Received-SPF: none.
But again, rejecting on an SPF result of "none" would be extremely
unwise until SPF has become much much more pervasive.
2) Intimation to the clients, end-users, on the action taken by SPF.
The standard tools already provide useful texts for the bounces (though
not all MTAs will pass those on). Whatever tool you use to do the
reject can usually be easily configured to return any text you want.
For recipients, keep in mind that in most SPF filtering set-ups, a
rejection due to an SPF "fail" will happen before the mail system even
learns who the mail was being sent to. But for other rejection
methods, you can again use whatever tools you are using for that
rejection.
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/