Performing SPF checks, for me, is part of a larger strategy to reject
forgery of all sorts (for example, a surprising 10-20% of SMTP
connections to my server are HELOing with *my* IP or hostname). I've
been considering working up a Postfix content filter that does forgery
detection outside of SPF, mostly to protect my friends-and-family
users from the onslaught of phishing scams.
Then I thought, gosh, my job would be a lot easier if paypal.com,
ebay.com, and citibank.com (for starters) simply published SPF
records. Of the domains that I see phorged (sorry) most often, only US
Bank has published SPF -- and only for usbank-email.com, not for
usbank.com.
I know that implementation can be difficult for large, busy sites, but
if these guys don't see a strong business (financial) case for
publishing SPF, isn't that a bad sign?
Are efforts underway, but simply at such an early stage that they
can't even publish preliminary (softfail) SPF records?
Has there been any technical outreach aimed at these people?
Perhaps I'm being too impatient?
pb
--
paul bissex, e-scribe.com -- database-driven web development
413.585.8095
69.55.225.29
01061-0847
72°39'71"W 42°19'42"N