Scott Kitterman <spf(_at_)kitterman(_dot_)com> writes:
I use (among others) Verizon DSL as an SMTP service. Since they use SMTP
Auth, I can use them even when I'm not connected through their network.
Because of the way SMTP Auth is set up for Verizon DSL, and Verizon DSL
customer can claim to be sending from any domain. As a result, to protect
myself from cross-customer forgery (which might result in you blacklisting
me), I have ?include:verizon.net in my SPF record.
Which is bad. If they use SMTP AUTH then they should have a separate
AUTH user for each domain which would prevent cross-customer forgery.