Re: SPF+SRS vs. BATV

Stuart D. Gathman wrote:

> On Tue, 5 Jul 2005, David Woodhouse wrote:
>
>  
>
> > > The second statement is patently false.  If you don't want to deal
> > > with your forwarding mess, simply don't check SPF, or don't reject on fail.
> > > End of story.  You can still publish SPF, SPF still works great for
> > > those who are fully participating.
> > >      
> > I cannot publish SPF (with -all) today because I know there are
> > recipients out there who would reject valid mail after it's been
> > forwarded. To publish '-all' would be saying that no valid mail from my
> > users would ever come from IP addresses other than my own, and I _know_
> > that to be false, because SRS isn't ubiquitous.
> >    
> Any recipient who rejects your mail because they forwarded it somewhere 
> else first is badly broken.  (Remember, it is *their* recipient address.  They
> did any forwarding to some other address.)  Of course, many recipients are
> badly broken, but not usually in their SPF implementation.  Your argument
> amounts to "Gee, some people might not implement SPF checking properly,
> so I have to gut my SPF record to try and compensate for some of 
> the stupid mistakes they might make."  
>  
Ahhh... but in the 'real' world of 'delivering email to clients', we 
have to sometimes deal with these busted systems. I two weeks ago, had 
one client lose $600.00 because their client didn't have reverse DNS. I 
have rejects set up for that, only because I know 90% or so of the rest 
of the world rejects on that, too. I'm constantly placed between the 
rock and the hard spot. Knowing there are hoards of methods for rejects 
for non-RFC compliant mail systems... accepts postmaster, acceptance of 
NULL sender, .... and blah blah blah... , but at the same time, I know 
there are actually very few domains with proper DNS on systems that are 
correctly configured. And too many people who simply 'don't know', sign 
up for these poor services. So, I'm placed between block spam and 
deliver all good email. My clients are primarily in the innkeeping 
business. Most of them claim over 80% of their business comes directly 
from the internet. Email is critical to us all, but I seem to be in a 
very hot seat.
I too had a -all record set up on one domain for 6 or 8 months. I did 
get several rejects. I made contact with some of these sysadmins to 
explain to them their errors. In about 50% of the cases, they didn't 
even know what it was, apparently it was just a 'on/off switch' to them, 
which looked like a good spam filter. I think there are going to be a 
LOT of these broken mailservers in the next year or so.
I think my only choice is a ?all at present, followed by a ~all sometime 
in the future (as acceptance and testing is completed) and then -all 
once the world catches up. I see a proper implementation as a very fluid 
process.
> I've had 15 years of experience dealing with braindead mail software
> and ignorant admins.  I can assure you that at least for now,
> the kind of mail admin who would make that kind of stupid mistake
> will not have heard of SPF.  I deal with mail delivery problems constantly,
> all the domains I manage have published SPF with -all for a year, and there has
> never been a problem with delivery due to the incorrect SPF checking you fear.
> Until SPF hits the threshhold where everyone does it whether they understand it
> or not, your imagined problem does not exist.
>
>  
You/ve been lucky....

> In anticipation of that threshhold, we need more FAQs on your to avoid
> common mistakes.  Rejecting fails without accounting for your
> forwarders could turn out to be one of those common mistakes.
>  
I am 'extremely' frustrated with SPF! I have been on this list since 
back in July or August. I have not read perhaps 90% of the postings as 
they were sometimes over my head and sometimes just not what I needed to 
know. I'm sure if I had read everything, I'd have a better understanding 
of SPF, but gee, asking all the sysadmins out there to decipher 'where 
we are' is in my opinion a bit much to ask. I want to put into place SPF 
records for the 600 or so domains on our systems... I 'want' SPF to 
'make it'!
My frustration comes in two parts.

First, simply deciding on 'where' to begin. I think I will need to plan 
'?all' first and remain fluid as the standard evolves into a working 
system. My idea is to place under one of my domains a '?all' record and 
use that as an include or redirect for the rest of the applicable 
situations on the other domains. I'm trying to avoid micromanagement of 
those other 600 and perhaps a need to edit all of them again, when I can 
edit one during this 'fluid' time. I later plan to move forward with 
customized records for each domain. I can't even seem to get a clear 
'Yes' or 'No' on that idea. And there certainly isn't enough information 
on the website to help me in my decision.
Second, there is a huge lack of information. I feel pretty bad about 
even bringing this up as I know the people on this list have worked very 
hard putting in many hours. I did make a post maybe 6 months ago about 
the website or lack of one. I understand and see that it is at least 
'alive' again. But, even to me, one who is not a complete neophyte with 
regards to SPF, the website does little good. One is just as likely to 
find old information as new information, some of the old perhaps being 
wrong? The bottom line is the website is of no relible use to someone 
new trying to set up their SPF record(s).
Someone mentioned the promotion of SPF and it was mentioned that there 
was no money for promotion. The website could be and likely should be 
the main area for promotion, so the above statement changes from 'money' 
to 'time'.... which is not all that different, but still is different. 
As one who is trying to look at SPF from an outsider's point of view, I 
would say 'forget this!' Looking at this from a bit of an insider's 
point of view, my frustration level is high. I want SPF to make it... 
but I can't even come to a clear decision for my own system! It was 
suggested that I hire a consultant.. well gee.. I have never hired a 
consultant and if all the sysadmins wind up being asked to do that, SPF 
will never make it.
I would like to with the utmost respect for the great people on this 
list, issue a challenge. I would like to see these great minds put 
together an effort to create the website the world needs. I would think 
that setting aside the work on SPF2 for a period of 2 weeks to 1 month 
and that time being put into efforts toward a useful website.
The foundation to the 'house of SPF' is built, but almost no work has 
been done on the 'house'.
Yes, if you feel I'm totally out of line here, go ahead and tell me to 
ride back out on that high horse I rode in on... 

Otherwise, I will volunteer time and efforts towards what would be most 
helpful on the site, although I'm not so sure I know enough about the 
workings of SPF to actually do much in the way of creation. One idea I 
have, like was mentioned above, is FAQs, but we need a system very much 
like FAQs only perhaps called 'Scenarios', an FAQ based layout, with a 
menu of things like 'I have all my mail forwarded through my ISP', 'I 
send all my mail to my mailserver' and for each provide an explanation 
and an example record. Ultimately trying to cover all the 'Scenarios'.
Clarifying the Wizard would be a big help, many of us on this list have 
complained about it, but I haven't noticed any changes to it.
I'm very much wanting SPF to become a 'defacto accepted internet 
standard' (i.e. actually used by largeISPs). But I am extremely 
frustrated and this has built over the months and gotten a lot worse in 
the last two weeks. I know this is my problem,  not yours, but I feel 
this is how a lot of the rest of the world must feel.
So how about it? How about some lowly web work? I know this is a bit 
like asking a Senator to type their own letter.. :)
Respectfully Submitted,
John Hinton