Seth Goodman wrote:
"most" doesn't include users with a reliable MX (static IP),
and a say DynDNS domain with "v=spf1 +a +mx -all" policy.
I specifically said the problem was with dynamic IP's as
you've quoted me above. Of course this does not include
static IP's.
Sorry, probably my answer was unclear: I was talking about a
user with dialup IP (dynamic IP) sending his mail directly to
the MX of the recipient. This same user can have a 3rd party
as MX, with a static IP for this MX.
IMHO this _could_ be good enough for reliable mail solutions.
DynDNS offers this solution, with their own MX services, or
with a 3rd party MX provider.
http://spf.pobox.com/slides/unified%20spf/0429.html
Tnx, yes, that's some kind of "bypass comcast.blackholes.us
for me please" scheme. And IMHO it's okay, this user says
that the sender policy for his domain does not follow the
defaults defined by his ISP.
Now you as recipient have to decide what you want, MTAMARK or
sender policy. As long as spammers don't use this construct
you could still accept the explicit sender policy.
Let's assume that I'm a spammer and want to abuse this feature:
1 - I'd need a domain allowing something like "v=spf1 a -all"
2 - a service like DynDNS allowing to publish my dyn. IP for
this domain
3 - an ISP saying "this IP is not normally used for mail" (or
an equivalent entry in a DNSBL used by the recipient)
That's a dilemma. But at least you could trust that all spam
sent from me comes with a valid sender policy. In the case of
DynDNS you could kill my account with a spam report, and the
"custom DNS" accounts allowing sender policies are _not_ free.
If you have a dynamic IP, you shouldn't be running an MTA
because you cannot be held accountable for what you send out.
If the functions "send" and "receive" (MX) are split, there's
no technical problem with this setup. I'd get all bounces and
normal replies via the MX. And I'm accoutable for my actions
at abuse(_at_)dyndns / abuse(_at_)myISP / abuse(_at_)myMX
Dynamic IP's inherently have no accountability.
That's IMHO not the case. You don't have a problem with "me"
(in my example), you have a problem with Spamcast (in your
scenario). But you know this already, it's nothing new, and
not related to (classic or united) SPF.
My point was that we shouldn't provide a mechanism for
people on dynamic IP's to get around their own ISP's
reasonable restrictions on that type of service.
I'm still not convinced, it's my mail and my sender policy.
If I really use a dynamic IP to send mail directly, then I
should be able to say so, just like I'm able to say "+all".
You as recipient are free to accept this, or to reject it
based on other evidence like MTAMARK or a DUL. Maybe your
objection is only the "trumps", and in that case just read
"could trump". It's only a slide, not a MUST in some RfC.
Bye, Frank