-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Alex
van den
Bogaerdt
Sent: Wednesday, May 25, 2005 10:03 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Sep 22 - Jan 03
On Wed, May 25, 2005 at 05:59:23AM -0400, John Glube wrote:
I travel a lot and use my laptop while on the road,
connecting through my wireless connection. Should this not
be possible, I want to be able to use any machine that is
available at the time, along with any Internet connection
to send email through my server.
Delivery of my personal, business and transactional email
is mission critical. I can't afford to have this kind of
email go missing because of a problem with mail forwarding
and SPF.
Would you advise this individual to publish a closed or
open SPF record, given the present state of the email
infrastructure?
"... through my server ..."
You are connecting to your infrastructure, sending messages
through your infrastructure. We will be getting these messages
from your infrastructure, not from "any machine".
This seems to call for "v=spf1 +yourmachines -all".
If you mean "forwarding" as in transfering a message from one
MTA under your control to the next one under your control:
SPF does not apply.
If you mean "forwarding" as in resending the message performed
by receivers and using your name, that's their problem. If you
want to make it your problem, do not use "-all".
By publishing "-all", the domain owner does indeed state that
others, such as "forwarders" (resubmitters IMHO) are NOT
authorized to use other people's domain names.
This is the whole point of SPF. There's no difference between
a spammer saying "MAIL FROM:<jbglube(_at_)sympatico(_dot_)ca>" and a
forwarder saying "MAIL FROM:<jbglube(_at_)sympatico(_dot_)ca>". In both
cases, they are or are not authorized to use "sympatico.ca"
If you want to allow the whole world to use sympatico.ca in
SMTP transactions, don't publish SPF, publish "?all" or even "all"
If you want to receive bounces only for mail you actually transmitted,
(not: created !) you publish "-all"
If you accept responsibility for a message (by ending an SMTP transaction
with "220 message accepted" and decide to resend this message to another
trust domain, use your own name as SENDER.
I would add that, as an interim measure, where interim is probably defined
as a really long time, you could make trusted-forwarder.org a part of your
sender policy and substantially mitigate the forwarding issue.
This doesn't solve the problem of web enabled mailers using your mail from.
For those, I usually just mail it to myself and then forward it manually to
the people I want to get it.
That would change the SPF record to:
"v=spf1 +yourmachines ?include:spf.trusted-forwarder.org -all"
Scott K