On Tue, 23 Nov 2004, David Woodhouse wrote:
On Sun, 2004-11-21 at 12:53 -0500, terry(_at_)ashtonwoodshomes(_dot_)com
wrote:
Agreed, the over-zealous are a problem, but mostly they are just
hurting themselves.
I'm not sure that's entirely true. When they encourage people to
implement SPF without properly thinking it through for _themselves_ they
do us all a disservice.
I agree with that. Nobody should implement SPF without a lot of testing,
analysis, introspection, navel-gazing, talking, announcing, more talking, etc.
What I have mostly been advising people (those few who actually ask me) is
that they should set up SPF records to describe how mail is really sent. If
they can really say for sure that all mail is sent through their known
servers, they should write -all; if they can't say for sure, they should write
?all, or possibly write an exists: clause that logs queries to a file and then
analyze the data and decide for themselves.
I'm advising folks to be much more careful on the receiving side. Using
trusted-forwarders.org whitelist is a good start, but there are other
forwarding relationships that they will need to whitelist for. If they're not
prepared to log, analyze the data, communicate to users and respond correctly
to user questions/requests, they should not be trying to implement SPF for
their receiving side.
Definitely going off half-cocked is a disservice. I wish we had better
instructional materials for people telling them how to set up in a test-only
mode to gather real data before flipping on.
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"