On Fri, 2005-03-18 at 11:52, Scott Kitterman wrote:
To the extent that ESP has 100% uptime, you are right. I currently list 3
companies mail servers in my record...
1. My ESP - I use this when connecting on the road and also if I can't get
through using my DSL/Cable provider's MTA.
2. DSL Provider's MTA - My primary.
3. Cable company's MTA - I have a cable modem for backup connectivity, so I
list their MTA for when I connect that way. (BTA, this is Comcast and I HAVE
asked. They are clueless beyond belief).
Why not submit your email to your ESP all the time? Any Email Service
Provider has to be more receptive than a general provider like Comcast
to providing services like SMTP AUTH and submission on port 587. Last
time it was mentioned here, no one could find a provider who was
blocking port 587, and even if you could, an ESP should be willing to
let you submit on a different port and over SSL so you can use the
specific service they are providing you, since you are, presumably,
paying for it.
A system is only as strong as its weakest link. Using big consumer
grade services that everyone and their dog uses, like Comcast, to send
your email doesn't actually help a domain forgery situation. Unless
Comcast would do something to prevent cross-customer forgery (and if
they are clueless about using the submission port, they are most likely
clueless about avoiding cross-customer forgery also), listing them in
your domain's SPF record does not get you significantly close to a
strong forgery avoidance system.
You may believe that I don't need all this redundancy, but I do.
Then why rely on consumer level services? If email is that important,
then why not run your own MTA, which may be multi-homed for redundancy?
Then your domain's SPF record can list the IP addresses for your own MTA
and you never need to worry about your providers MTAs or their SPF
records. If email is important to your business, then presumably being
confident that your domain isn't being used by someone other than you is
also important.
If I'm not
doing e-mail, I'm pretty much out of business.
If your ESP is not close to 100% reliable, then how are you receiving
email as reliably as you are able to send it? Do you only send email?
Or do your customers have to send to your address
@email-service-provider.com, @dsl-provider.com and @comcast.com in case
one of them happen to be out?
If not being forged isn't important to you or your business, then don't
publish SPF records.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>