spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Whitelisting

2004-08-11 10:42:26
from [Jonathan Gardner] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 10 August 2004 11:40 pm, Emmanuel Ormancey wrote:


SPF will not block spam, but will help blocking forged email senders.

Spammers using real domains and real addresses will configure their SPF
record accordingly, so how can the SPF record be used to populate a
whitelist ? A valid SPF record / Pass Spf check cannot be trusted as non
Spam (on the opposite, a SPF Failed check could be rejected).

How AOL or Hotmail will implement this, as they are both talking about
whitelisting ? And how do you plan to implement this ?



You have to compare what AOL has been doing with what they will be doing.

This is a simplification, but the idea is here. In the past, people who sent 
bulk email to AOL addresses were blocked. You are allowed to send a lot of 
email, just not bulk email. The block message reads, "If you are 
legitimate, call us and we can work out the details."

So the company calls AOL and AOL says, "Tell us which servers you are using, 
and we'll only accept email from those servers. Now remember, if you abuse 
us and send us email that people don't like, we will stop accepting your 
email. But if you are responsible and responsive, then we will allow you to 
continue sending email."

This was a problem because when you add an outgoing mail server, you have to 
tell AOL. Sometimes it takes AOL weeks to keep up with demand. It's just a 
lot of overhead - calling each other, testing, etc. Migrations that 
included chaning IP addresses or reverse DNS changes were painful.

The new process is to stop all the communications back and forth. If you 
send bulk email, they won't accept it,  same as before. You call them up 
and ask them about it, and they say, "Okay, we'll add you to the whitelist 
but you have to be responsible. Also, you have to tell us which servers are 
yours by publishing SPF."

Now all the overhead of communicating IP addresses and server migrations is 
gone. You are in control of those records, and you can change them as 
easily as you change your IP addresses.

If you don't send bulk email, you won't have any problems with AOL. They 
tolerate limited numbers of emails, even without SPF records.

- -- 
Jonathan M. Gardner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBGlqCBFeYcclU5Q0RAr4AAJ9LCp7Nuwo6AjxKEEQWOnMt0B99ZgCgp27A
J7e5OWViL5Lf5r4JXCQW2Lc=
=Q0Kv
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: how to avoid receiving email w. sender forged to be a host in my domain, Scott Kitterman
Next by Date:  Basic Question, Lou Katz
Previous by Thread:  Re: Whitelisting, Koen Martens
Next by Thread:  how to avoid receiving email w. sender forged to be a host in my domain, Jonathan C. Detert
Indexes:  [Date] [Thread] [Top] [All Lists]