In <000001c4cdbb$8e9f9ce0$0316a8c0(_at_)bigp4> "Vivien M."
<vivienm(_at_)dyndns(_dot_)org> writes:
What you're saying works very well, for a SMALL domain where the person
needing to 'spoof' controls the SPF record and/or the mail servers listed in
it. That's great, put ?all, include the other places you may go to (e.g.
your employer, relatives, educational institutions, whatever) and send mail,
and go on with life.
The "roaming user" problem with SPF has many solutions, many of which
will work just fine for both large and small domains. The solutions
include:
* Don't publish SPF records.
* Publish SPF records that end in ?all.
* Use SMTP AUTH to an authorized MTA
* Use relay-after-pop to an authorized MTA
* Use webmail from an authorized webmail server. (It could be run by
the organization, or it could be someone else.)
* Use a rate limiting DNS server to allow a few emails from
unauthorized places.
* Add a Sender: header that passes SPF authorization while using your
real email address in the From:
... the list goes on.
The problem comes when you're dealing with large organizations where some IT
department (or ISP helpdesk) sets a -all policy, and you're too far down on
the organizational hierarchy to do anything about it. (If you're the CEO,
you can call up the IT manager and be like "WTF is this SPF crap that
prevented me from sending email from the golf course?!?!? I WANT IT GONE
NOW")
Stupid corporate policies are nothing new or unique to SPF.
I encourage you to continue to bring up the problems of stupid
policies and even to advocate not deploying SPF at all due to the
potential problems. I think the vast majority of domains that have
publish SPF records understand what they are doing and are getting the
results that they want. Maybe with your help, we can increase that to
100%.
-wayne