spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Need to promote process changes

2004-07-29 02:21:08
from [Chris Haynes] [Permanent Link] 
I expect many of the people on this list have been following the [spf-help]Help!
thread from Stacey, in which she found that the newsletters being sent for her
by a third-party were not actually being received by increasing numbers of her
recipients.

Terchnologically-speaking, this was actually an SPF success story: significant
numbers of her eMails were being correctly rejected - so it shows there are
enough SPF implementations out there to have a noticable effect!


Marc Alaia informed the spf-help list that the supplier she uses to send her
newsletter:



...  just went ahead and added a few new mail exchangers without updating their

SPF configuration and it caused some of Stacy's email to be refused.

...



This highlights one aspect of SPF that does concern me- the dependence on
on-going process integrity once the initial enthusiasm for introducing SPF has
wained.

Site configuration processes have got to become totally-SPF-aware.

In Stacy's case her supplier's error of  forgetting to change the SPF record
when a new mail server was added was at least detectable - her mail did not get
delivered.

The really nasty problem will be forgetting to add an SPF  "-all" record each
time a new named host (i.e. domain) is added. That will leave the domain
unprotected (at least in the short-to-medium term whilst missing SPF records are
tolerated).

I think it may be necessary, when promoting SPF,  to place a lot of emphasis in
the need for domain administrations to update their processes and procedures to
ensure that the SPF records are reviewed _every time_  there is any other DNS
change.

But the SPF checks cannot be linked to DNS changes alone.  In Stacy's case it
seems the servers changed their mail-related role without any functional need to
change DNS A or MX records.

So, metaphorically, hanging a notice saying "Don't forget SPF" on the "Update
DNS" button will not be enough.

Everyone who might make a configuration change anywhere in the domain must be
made aware of the need to trigger an SPF record review.



The advice in spf.pobox.com  tends to read as if adopting SPF is a one-shot
activity.

Would it be a good idea to extend the "Management" and "Sysadmin" sections of
spf.pobox.com with advice for adopters to update their processes and procedures?


Chris
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ANNOUNCE: spf.infinitepenguins.net / spfTools.net site update, James Couzens
Next by Date:  Re: Re: [spf-devel] [POLITICAL INFIGHTING] Difference between spf/spf2 srs/srs2, Rob McMahon
Previous by Thread:  Error 0x80070103 - 0x0 while excluding recipients from a message rejection, Postmaster
Next by Thread:  Re: Need to promote process changes, Mark Shewmaker
Indexes:  [Date] [Thread] [Top] [All Lists]