On Fri, 19 Nov 2004, Vivien M. wrote:
The question then becomes: how do you tell somebody who feels they are
authorized using the first definition that they can't do what they want
because of a technology using the second definition? And if that somebody is
your boss, how do convince them NOT to order you to remove your SPF
deployment?
Tell them they can either accept that spammer's worldwide can pretend to
be your company (and _will_) or he can authorize setting up an SMTP-Auth
or webmail server so he can send mail from anywhere. And that the option
of 'doing nothing' is the same as saying 'within two years people will
refuse to accept mail from our domain _at all_'. And then let him do what
he wants.
You want your cake and to eat it as well: You want to be able to prevent
forgeries of your domains but you don't want to change infrastructure. And
the two goals are mutually exclusive goals.
So you or your boss has to make the decision: Is it more important that
your people be able to send mail from _anywhere_ without any configuration
changes what-so-ever, or is it more important that a Russian scammer can't
use your domain however _he_ wants to - regardless of what you prefer?
It isn't strictly a technical problem at all. It is a people problem.
And it is _your_ people problem - not SPF's.
Use SPF. Don't use SPF. Make your own bed and sleep in it however you
like. But don't complain that the bed is too high/too soft/too hard/too
cold/too warm when _you_ chose it.
--
Jerry