Le jeudi 5 Août 2004 14:45, Bourque Daniel a écrit :
Stupid question but:
(because some of my domains have hundreds of thousands of hosts)
Are you talking SMTP host that can actively send e-mail on the internet?
Not necessarily. You host doesn't need to actually send e-mail for spammers
being able to forge MAIL FROM on its name.
Suppose you have one host called "host318.mydomain.com" that never sends any
(direct) mail by itself, but has a DNS "A" record.
Spammers _can_ send forged MAIL FROM:
<dummy(_at_)host318(_dot_)mydomain(_dot_)com> and this
will be generally accepted by receiving party, as long as
host318.mydomain.com resolves in DNS to an "A" or "MX" entry.
If you want SPF to block such forgeries, you *must* have an SPF record for
host318.mydomain.com, either stating that it should'nt appear at all in a
MAIL FROM: RH part, i.e. "v=spf1 -all", or use the same SPF record as your
higher level domain (stating ougoing mail bearing this RH part should go thru
your legitimate mail servers), possibly by redirecting with ans SPF record
such as "v=spf1 redirect=mydomain.com".
HTH.
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E