On Tue, Aug 03, 2004 at 12:38:14PM +0200,
Daniel Gueniche <gueniche(_at_)grenoble(_dot_)cnrs(_dot_)fr> wrote
a message of 99 lines which said:
So for testing purpose, the following TXT record was added on our
DNS: grenoble.cnrs.fr IN TXT "v=spf1 a -all"
I do not find it:
; <<>> DiG 9.2.4rc5 <<>> TXT grenoble.cnrs.fr
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61958
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
^
Did you suppress it after the tests? Or do you have split DNS?
And you have a lame delegation on our ns2.nic.fr :-)
For me this seems to be bad because a mail from a non-existing
domain is alway accepted (because no TXT record).
Of course, SPF can only "protect" the domains that publish SPF
records. In the future, may be you will be able to refuse email from
non-SPF domains but it is clearly unrealistic at this time.
So, real "john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org" will be insulted
by automatic
anti-spams softwares.
If these programs send email to the sender of a spam (which is almost
always forged), they are stupidly broken (like all commercial
antivirus software is).
Since SPF have seen e-mail was send from 147.173.3.39, it can deduce
from reverse DNS request that this address belong to
grenoble.cnrs.fr
So what? Your SPF record only says that 147.173.3.39 is the only one
which can send mail from grenoble.cnrs.fr, it says nothing about other
domains 147.173.3.39 can send mail from.
I think that SPF do more by ALSO relying on SMTP sender IP address.
What about ISP? 80.67.170.3 is in netaktiv.com but it sends email for
all the customers of Netaktiv. How do you suggest to handle this?
.john.smith will not be insulted
He will not receive "We detected a spam from you" if you do not use
broken programs. Period.