--Øyvind Henriksen <oyvind(_at_)increo(_dot_)no> wrote:
[Regarding adding a couple large ISPs to the default SPF record for hosted
domains]
I think this will benefit our users and simplify things a lot when
rolling out SPF, but I am concerned that it will result in a flawed
deployment, and maybe it will come back and haunt me in the future? :-)
This is the text i want to add, in addition to the rest of my SPF setup:
"include:online.no include:broadpark.no include:c2i.net
include:frisurf.no"
Here are some questions to think about first.
1. A significant number of users in Norway use these three ISPs. However,
that doesn't completely guarantee that those messages really came from the
legitimate owners of those domains. You could be opening yourself up to
complaints of forged messages getting an SPF Pass treatment, just because
someone else at the same ISP was doing the forging.
One way to address this is to make sure those ISPs have some anti-forgery
precautions within their own system. For example, does their mail server
require SMTP Auth, so that it knows the username of the customer
connecting? Does it then verify that the user is authorized to use that
domain name? (It is possible for those ISPs to keep lists of which
customer is allowed to use which email addresses, by sending test messages
to those addresses containing a confirmation code or link or something,
similar to singing up for a mailing list... but I don't think any ISPs have
actually set anything like that up yet.)
If any user logged on to their network is allowed to send mail out as
anybody (meaning they don't allow third-party relaying, but they don't have
any real anti-forgery protection on outgoing mail) then include is not
really what you want. Include says "Yes it really was this person" -- in
other words, we completely trust that ISP to not allow forgeries. If a
message from "online.no" *MIGHT* be from the legitimate user, but also
might be forged, don't put include:online.no -- put ?include:online.no
instead. That way if the check of "online.no" against the current IP
results in a PASS, then the ultimate SPF result for the customer's domain
would give back a "neutral" or "I don't know" response. ?include is great
because it allows you to put -all at the end more often and with less
problems -- but if you're putting ?all at the end instead of -all then
?include doesn't add value.
2. Do those other ISPs already have SPF records? include: assumes that the
name you are including has its own SPF record. If those domains haven't
published anything yet, don't use include... use A, MX, or PTR or
something. If you are in contact with those ISPs, maybe ask them to add a
TXT record -- it doesn't have to be for all their mail like "online.de" -
if it's only to be used for include: statements it could just as easily be
"spf.online.de"... then include: using that.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>