On Sat, Aug 21, 2004 at 04:02:08AM -0400, Barry Margolin wrote:
My college alumni association provides an email forwarding service: any
alumnus can get a <user>@alum.mit.edu address that forwards to their
real email service. However, they don't provide a mail submission
service -- you still have to send your mail out through whatever SMTP
server you would normally use.
How is this supposed to work with SPF?
It seems like the other guys who have responded to this have omitted to
actually answer the question.
If the people who run alum.mit.edu wish it to continue to work as at
present (i.e. anybody at all can use any server at all to send mail as
<whoever>@alum.mit.edu), then they should either not publish SPF records,
or publish a record which matches their policy (using +all, for example).
If however they wish to start to prevent joe-jobs, then they need to start
off by defining who *should* be allowed to send mail from the alum.mit.edu
domain. The easiest way for them to do this would probably be to provide a
submission service, and state that "only people using this submission
service should be sending mail from the alum.mit.edu domain". Then they
could publish an appropriate SPF record.
So, the short answer is: "This is supposed to work with SPF just the same
way that any other setup is supposed to work with SPF; they should publish
a record which accurately reflects their policy."
It is also supposed that once people publish their policies, the old
saying that "what goes around comes around" will apply; those with policies
which benefit the rest of us will benefit from publishing them, and those
that don't, won't. In the longer term this should discourage policies such
as that which you describe -- "anybody may send mail claiming to be from
our domain".
Cheers,
Nick