-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Nick
Phillips
Sent: Monday, January 03, 2005 6:54 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Should I include major ISPs in SPF for our
hosted domains?
On Mon, Jan 03, 2005 at 10:47:14AM -0500, Scott Kitterman wrote:
I would strongly recommend domain owners set a policy that
avoids giving an
SPF pass to messages sent from sources that allow for cross-customer
forgery. This concern does not apply to properly secured MTAs under the
control of the domain owner.
Right. So you don't authorize poorly-run MTAs to send mail for you. Makes
sense.
Unfortunately, almost all shared MTAs that allow a "foreign" mail from are,
by your definition, poorly run. SPF is great for those who run their own
servers, but for those of us who pay someone else to do it and don't have
the volume for a dedicated box it is more problematic.
Last year I asked if anyone on this list was aware of a company I could buy
SMTP services from that would not allow cross customer forgery. I got one
positive answer from Brazil.
In addition to SMTP-AUTH, MTA operators need to limit customers to using
authorized identities. This is a change for them that isn't going to happen
overnight.
Scott Kitterman