On Mon, 16 May 2005, Scott Kitterman wrote:
I think this ignores the many valid reasons for this:
1. Match mechanism for a shared-MTA that doesn't prevent cross-customer
forgery.
Certainly a valid reason. Hence, the campaign it get at least *one*
commercial SMTP provider that prevents cross-customer forgery.
Heck, even here on spf-discuss, my proposal for a simple way
to communicate domain policy to SMTP provider was completely
misunderstood - because noone is thinking about exactly how
the cross-customer forgery is going to be prevented.
2. Domain is often forwarded via non-SRS forwarders to MTAs that don't
whitelist the forwarders.
This is not a valid reason.
It is just working around braindamage in recipient MTA config.
This is a losing battle. Recipients shouldn't be checking SPF
if they aren't going to do it properly. Failing to account for
non-SRS forwarders in their is not doing it properly. You should
encourage them to fix their config - or stop checking SPF until they.
Don't encourage the braindamage by working around it.
3. Domain is often used to send from web services either not in
trusted-forwarder.org or to MTAs that don't whitelist the services.
This is only a semi valid reason. Web services shouldn't be forging your MAIL
FROM. You shouldn't be using these web services.
But, I understand that sometimes the PHB doesn't understand how broken
it is. At least make sure you've emailed the admins for the broken
web service to politely explain how to do it properly. The explanation
on spf.pobox.com is still valid (although it talks about SenderID instead
of SPF, the recommended practice works for both).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.