On Thu, 2004-08-19 at 07:09, Graham Murray wrote:
Scott Kitterman <spf(_at_)kitterman(_dot_)com> writes:
I use (among others) Verizon DSL as an SMTP service. Since they use SMTP
Auth, I can use them even when I'm not connected through their network.
Because of the way SMTP Auth is set up for Verizon DSL, and Verizon DSL
customer can claim to be sending from any domain. As a result, to protect
myself from cross-customer forgery (which might result in you blacklisting
me), I have ?include:verizon.net in my SPF record.
Which is bad. If they use SMTP AUTH then they should have a separate
AUTH user for each domain which would prevent cross-customer forgery.
I'm sure each customer does have a separate AUTH account, just that
there's no association between AUTH accounts and sending domains.
Setting up and maintaining such associations is definitely a non-trivial
exercise, but necessary really if people want to use a "+" mechanism
rather than a "?" mechanism for the shared server.
Paul.
--
Paul Howarth <paul(_at_)city-fan(_dot_)org>