Tony Finch wrote:
Actually I need to know the IP addresses of the outgoing email servers for
the forwarding sites. The users don't have this information and they don't
know who has, and we certainly don't have time to keep it up to date even
if we could obtain it.
_You_ have this information to a great extent already.
It is right there in your mail server logs. You just need
to know which domains to sort out.
How do I tell the difference between forged email and a configuration
change? What about rarely-used forwarding addresses? What about new
forwarding addresses? Have you tried to get useful co-operation from tens
of thousands of users who don't care much about email?
My point is that nobody has properly thought through how to deploy SPF on
anything other than toy domains in such a way that it can safely reject
email.
Many of those "toy domains" you refer to are businesses that need
the sort of sender authentication SPF provides to stay in business.
ISP domains are a distinct minority because dealing well with
the large number of users required to make a profit is difficult,
and simply keeping enough users to remain profitable while keeping
up with the technology is a major challenge for smaller ISP's.
Still, it has to be done, and deploying a technology such as SPF
into an ISP environment is non-trivial, but with a careful plan,
communication with the users, and the will to do it, it is quite
possible to get to rejecting on FAIL even in the ISP environment.
--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com http://www.vocalabs.com/
(952)941-6580x203