On Thu, 7 Jul 2005, Stuart D. Gathman wrote:
You do have to force them to maintain a list. But it doesn't have
to be IP addresses. They only need to list forwarder domains. Use SPF
to translate the domains to IP addresses. Even if the forwarder
doesn't publish SPF, a "best guess" record will usually work. And
you can provide a local substitute.
For instance, if a forwarder has no SPF record, but sends from
smtpN.joesforwarding.com for many N, you could supply a local
SPF record of "v=spf1 ptr -all" for joesforwarding.com.
I provide local SPF records to all the MTAs I administer via DNS.
When there is no SPF record for example.com, I then lookup
example.com._spf.mydomain.com, and put all the local SPF
records in _spf.mydomain.com.
This provides a superior and flexible form of whitelisting - very
useful even if *nobody* actually published SPF!
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.