On Wed, Jul 14, 2004 at 10:55:52AM -0500, Whil Hentzen wrote:
| On Wednesday 14 July 2004 10:13, Bourque Daniel wrote:
| > I just received another false CITIBANK.COM e-mail... Why is it , if
| > Citibank is complaining about mail fraud, that they don't even publish SPF
| > TXT record???
|
| Because they don't really mean it. *s* It's just lip service put on by their
| PR department.
It's a chicken-and-egg problem. Maybe they're waiting for
forwarders to support SRS, because they're worried about the
false positives.
On the plus side, publishing SPF will help their mail get
past other spam filtersr, which are a source of false
positives on their own.
So today we already have a number of false positives that
could be avoided by publishing SPF records.
After publishing SPF records, a site will then see false
positives that will be caused by noncompliant forwarders who
are also not listed in trusted-forwarder.rog.
Either way there will be false positives. Assuming that the
problem will be on roughly the same scale, it makes sense
for companies to publish because that helps with phishing.
The middle ground is to publish with a softfail ~all
default, but that doesn't help with phishing if the mail
gets through.