I think I agree with Stuart here, but what Stuart wrote doesn't really
contradict David's point. David is right too... the forwarding problem is
a huge one, and the SPF faq doesn't portray all its sharp edges.
On Wed, 6 Jul 2005, David Woodhouse wrote:
No, the website FAQ massively downplays the problem. I'd even go so far
as to call it downright dishonest. It says "You'll have to switch from
forwarding... to remailing". But that's not really true. What it should
say is that you'll have to wait for the whole of the rest of the world
to make that switch. It's not about what _you_ do yourself when
forwarding.
I agree with David here, that forwarding is a problem and it's not readily
solved. The documentation should probably be improved to say that
forwarding is an issue. Some partial solutions exist, but that doesn't
absolve us from informing receivers of the potential pitfalls.
Some folks have posted that they were able to use trusted-forwarder.org and
other whitelists to catch most legit forwarding that would be blocked. On
a larger scale, we should probably recommend that receivers *not* reject
mail based solely on SPF failure, at least not without testing the hell out
of it and building their own whitelist.
Question for anyone who has insight and/or experience on it: How do you
detect a forwarding arrangement by looking at your logs or scanning
messages? Are there any measurements or detection mechanisms that make a
forwarding address set up by one of your users appear distinct from a
zombie or other forging spammer?
--"Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> wrote:
"Forwarding" (in the sense of the above) is only a problem for some
domains - typically large ones who don't want to coordinate
setting up this type of forwarding with users. And the problem is
only that these large domains can't reject mail based solely on
an SPF result. They are no worse off than before. They can still
publish an SPF record to great benefit - and use ?all if they don't
want to make their users use SMTP AUTH either.
While these large domains may represent a majority of email users,
they are a small minority of domains. The rest of us *do* know
who our forwarders are, and when you know who they are, it is
simply not a problem.
While we may disagree about what constitutes "most" or even "a lot" -- I
would submit that the numbers don't tell the whole story. I think we can
all agree that SPF is useful for some situations, and infeasible for
others.
I applaud the efforts of Stuart and others who are using SPF in their own
environments, of whatever size. It's only by racking up lots of successes
on the small to medium scale that we'll be able to advance to the next
step. Keep collecting data and writing about your experiences!
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>