On Fri, 7 Jan 2005, Scott Kitterman wrote:
I use Pair Networks as my domain host. They provide SMTP services as part
of their domain hosting. Their SMTP server is relay.pair.com. Now they
have mechanisms in place to ensure than only their customers can send mail
from relay.pair.com, but they place no restrictions on what identities their
customers can use (yes, I have suggested that they do this differently in
the future).
So, in my SPF record, you will find ?a:relay.pair.com.
When you receive my message, you can tell it came from relay.pair.com.
There is no way the YOU can tell which of their 500,000 customers actually
sent the message. That's Pair's job (and strictly speaking outside the
scope of SPF).
I don't give relay.pair.com a pass because I don't trust those 500,000
customers (all but 4 of which I don't know) not to try and forge my domain.
What we are saying is that if the submitting SMTP server were to enforce
limits on what mail identities their customers were able to use, then these
shared servers could be safely given an SPF PASS.
Good example, and very well said.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.