terry(_at_)ashtonwoodshomes(_dot_)com wrote:
If you cannot make that statement with the same level of confidence
that you can "material published on my website actually comes
from me",
then you shouldn't use +serverIdentifier.
Consider BIGISP.com, they have 1 mail server mail.bigisp.com
Little company abc.com buys a DSL account from bigisp.com, and they setup their
email to relay
through mail.bigisp.com, and abc.com's spf record indicates mail.bigisp.com is
the only mail server
abc.com email comes from.
Little company spammer.com buys a DSL account from bigisp.com. He knows that
abc.com is also using
mail.bigisp.com by examining abc.com's spf record (that's why he bought the DSL
account from
bigisp.com). Now he sends a spam, faking the from address as
whatever(_at_)abc(_dot_)com targeting
victim(_at_)spamtarget(_dot_)com
If mail.spamtarget.com has SPF installed on his mail server, does he have any
SPF way of rejecting
those emails, because, after all they appear to be coming from the correct mail
server for the
domain abc.com
My knowledge of SPF says no (please correct me if I am wrong).
If I am correct, then even an SPF pass does not prove the email to be
legitimate or from the owner
of the domain.
Exactly my point.
If BIGISP.com provides you with web service under www.example.com, they
also provide you assurance that none of their other customers' pages
will show up when someone hits http://www.example.com/.
Until they provide you the same assurance with e-mail, you cannot
reasonably publish +include:BIGISP.com in your SPF record.
On the other hand, you could use "v=spf1 ?include:BIGISP.com -all"
to stop the most obvious (and usually randomly targeted) forgeries.
--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com http://www.vocalabs.com/
(952)941-6580x203