Re: SPF Stats

--David Woodhouse <dwmw2(_at_)infradead(_dot_)org> wrote:

> On Sun, 2005-07-03 at 23:10 +1200, Lennon - Orcon wrote:
> > Forwarding / SRS is the big killer of SPF at the moment.. more people
> > have to start using SRS. (how many commercial mailers (or even
> > non-commercial do) by default?
> There isn't even an internet-draft being put forward which standardises
> SRS. It seems to be entirely dead in the water, and yet it needs to be
> done _before_ any official blessing of SPF can (sanely) take place.

I wouldn't say that's entirely true.  SPF would benefit if the forwarding 
issue were to be solved, but there are other approaches that receivers can 
use.  (However the words "official" and "sanely" provide some room to be 
subjective, so I won't go so far as to say "you're wrong".  The following 
is intended to be read as my opinion only, not as proof of anything :)
A lot of ISPs are asking users to maintain whitelists, and if a message 
comes in from someone not on the whitelist, it stands a reasonable chance 
of going into the Bulk folder or whatever.  Receivers could do something 
similar with forwarding - they can advise users that if other mail 
addresses are being forwarded here, they should mark those forwarding 
domains as accepted forwarders.
It's easy to imagine a big ISP providing an interface for users to 
whitelist certain forwarders by domain name (which would take care of the 
very small forwarders) or even to imagine that they might take domains that 
have been whitelisted by 1000 or more users and put them on the global 
whitelist, as long as the forwarder doesn't have a significant spam problem.
It's a problem that requires imagination, cleverness, and some hard work, 
but I wouldn't go so far as to say it's an impossible problem to solve.




> In the meantime, some senders continue to publish SPF records with
> '-all' and say "you should trust the recipients not to honour SPF if
> there's a forwarding problem", while some recipients continue to reject
> for a 'fail' result and say "but I'm just doing what the sender said".
> And genuine mail continues to go missing for these people.
>
> Forwarding is something that can't properly be tracked by _either_ the
> sender or the recipient, in the general case. My ISP certainly doesn't
> have any way to tell how many of its customers forward mail to its
> servers, or from where. Hence they know perfectly well that they'd lose
> business if they were silly enough to reject mail for an SPF failure.

In general I would agree that this is the current state.  You definitely 
need a whitelist of some kind if you plan to reject mail on SPF failure. 
If I were in an important position at a big ISP, I would be running tests, 
trying to identify forwarders, and perhaps doing some development on ways 
to prompt users to enter their forwarding addresses.
Probably the smart thing for those ISPs to do would be to put the mail into 
the Bulk folder or something similar, until the customer indicates that the 
forwarding address is actually his.  I wouldn't recommend that people 
actually reject spf-fail at this point... not without a good whitelist and 
a good interface for people to add to their personal forwarding whitelist. 
In that way I agree with you.  I would classify it as "definitely not ready 
for prime time" but I probably wouldn't go so far as to call it dead in the 
water.
Unfortunately SPF doesn't have a marketing wing, so there are very few 
people getting on the phone to ISPs to try and sell them on the idea of 
tracking forwarders, offering whitelisting, doing a phased rollout, etc.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>