We've been talking about it on #spf a bit, and reached the conclusion
there should be a page dedicated to those working at the ISP's and
domain hosters, giving them pointers on how to roll out spf, smtp auth,
what to tell their customers, etc...
I've taken the lead on this, and am enquiring whether anyone on the list
here is an ISP, can provide me with some input on how they did roll out
spf or how they are planning to do so. What issues should ISP's take
into account?
I am an ISP -- the very classic, dialup sort.
For us, rollout was easy: We've been using SMTP-AUTH for years, and I'm
setting up all new customers with the SUBMIT port instead of SMTP. We're
also using Exim, whose flexibility makes it really easy to work with
safely, even on a hot system.
We've also had outgoing port-25 blocking for some time: you can connect
to a server in our subnet or not at all. It comes with the contract with
the dialup wholesaler.
I've had a handful of customers call with problems, probably 1% of my
user-base. After checking the logs, that seems like all of them.
Maybe we want to provide standard letters ISP's can send to their
customers. Checklists for the technicians, that kind of stuff.
That's a very good idea. Having a way to recognize the SPF failures from
the error message the customer has is a must: For us, the most common
failure is to not select SMTP-AUTH in Outlook Express, since the setup
wizard ignores it. We put a very recognizable string in the reject
message, so it's easy to pick up as the source of the problem.
Forwarding services are difficult, and are working on a user-accessible
whitelist system. I think that's the cleanest way to deal with non-RPR
forwarders. I'd have that up, working and tested before rolling out SPF,
and send out a succinct message saying "If you use a forwarding
service:", with simple instructions. It's not that big a deal.
In my experience, a few rejects here and there are /helpful/ on my
customer relations. They want something done about "the email problem"
-- all of it. Spam. Forgeries. Phishing. Virii. Any step, any sign that
we're active is a good one, as long as the problems with it stop after
they complain. We make sure that happens.
So, we essentially flipped the switch and called it good. We're picking
up a few pieces, and we're very responsive to customer complaints,
working on solving /their/ problem, whatever it is. That's served us
well as a policy. If your customer base is used to communicating their
needs, I reccomend it. If not, be careful. Softfail first. Monitor logs
and contact customers who have problems. Track problems.
The ISPs who will have the toughest time are the ones whose customers
theoretically could be sending from anywhere and don't have AUTH set up.
Ari