On Fri, 2005-07-08 at 10:04 -0500, wayne wrote:
SPF does work, without SRS.
Without all forwarders using SRS, there is a chance that you will get
a false positive due to the forwarding, but false positives happen all
the time with modern day email. Saying that "SPF doesn't work" is
like saying "spam filtering doesn't work".
OK, perhaps I should have been more careful about my use of the word
'work'. I mean that it throws out valid mail in a relatively common
case, which means it isn't workable for me.
I think we've already agreed to disagree on precisely how common that
case is and at what point it becomes a problem for domains of varying
sizes.
As Scott Kitterman pointed out with his review of the SPF support
requests, and as I can confirm with the T-FWL listing requests (or
lack there of), and as many of us who publish records with -all can
tell by the lack of rejections, forwarding just isn't a huge problem
in practice.
Be careful what you infer from that. You could just as well infer from
the above that there are _very_ few significant domains actually
rejecting mail for SPF failure. It isn't easy to tell which is the case.
Whenever I observe a recipient rejecting messages forwarded by my
servers for SPF failures, I don't request that my servers get listed in
the trusted-forwarders list. I merely contact the receiving domain and
point out that their use of SPF is rejecting valid mail.
After I explain the problems with SPF they usually express surprise,
because that's not quite how it was sold to them, and disable it.
I do have a facility to perform SRS for domains which still refuse to
stop checking SPF, but in fact I haven't had to use it. The few
recipients who were checking it have just turned it off after I
contacted them.
--
dwmw2