-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Julian
Mehnle
Sent: Thursday, January 06, 2005 5:24 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Should I include major ISPs in SPF for our
hosted domains?
Scott Kitterman [spf2(_at_)kitterman(_dot_)com] wrote:
Last year I asked if anyone on this list was aware of a company I could
buy SMTP services from that would not allow cross customer forgery. I
got one positive answer from Brazil.
In addition to SMTP-AUTH, MTA operators need to limit customers to using
authorized identities. This is a change for them that isn't going to
happen overnight.
And that can only mean that we have to advocate prevention of
cross-customer forgery more aggressively. We might even want to write up
an RFC that explains what MTA implementors and ISPs have to do.
Yes. Leaving aside the how for a moment, we need to advocate this. The way
to do it is in how we advocate SPF deployment. When we tell people the put
the ? in front of shared MTAs that don't prevent cross-customer forgery we
explain why and tell them that they ought to talk to their provider about
it. Eventually, this is going to be a competitive discriminator. That's
when it gets done.
Scott Kitterman