On Wed, Aug 03, 2005 at 03:31:59PM -0400, Stuart D. Gathman wrote:
I suspect they simply didn't want to deal with telling users
that they can't use their foo(_at_)earthlink(_dot_)net address from any
random email mail client in world with no set up.
Well if that were how things were already set up, and if that were
how the documentatation already..
Oh wait, we've all had this discussion here a bazillion times before,
and we're all familiar with the technical solutions. But since it's
obviously a point of confusion for ISPs, maybe this can be an item for a
FAQ.
I don't know what FAQs might be being developed but..consider this a
submission for a FAQ:
Question:
---------
I'm afraid of publishing a record ending with "-all" right now.
You see, I have all these users who are used to sending mail while
roaming, and I don't want to deal with the customer support costs of
helping them configure their mail programs to connect to our mail
servers via the standard mail submission port 587 when roaming.
Instead, I prefer to prefer to allow others to forge my domain and ruin
my reputation.
(okay, maybe the above two paragraphs could be written more politely.)
Answer:
-------
You don't have to do everything in one big step.
For now, publish records such as:
"v=spf1 a:outgoing-mailservers.example.com ?all"
This will cause messages sent from your outgoing mailservers to get an
SPF pass result from compliant SPF checkers. Recipients will be able to
see that those mails really came from your domain.
Messages sent from elsewhere will get an SPF NEUTRAL result, which is
almost the same as the NONE result they'd get if you didn't have any SPF
record at all. In both cases recipients would not be able to know
whether those mails, which purported to be sent from your domian, were
legitimately sent from your domain.
However, if you're willing to invest a little more work, you can improve
things further for users who are interested in participating.
For instance, you could publish a record such as:
v=spf1 a:outgoing-mailservers.example.com
?exists:%{s}.no-spf-protection-users.example.com -all
Initially have all your users in this no-spf-protection group.
Allow them to become "protected" by selecting an option in their email
preferences web form.
Those who check the box have to authenticate to one of your mailservers'
port 587's to send mail when roaming.
Recipients recieving mail purported to be transmitted by "participating"
users, but sent from elsewhere, can see that the mail is a forgery and
not accept it. You then get fewer complaint calls about being a source
of forgeries.
If you want to do a bit more work, you can sign the return-paths of
participating users, which means that you can reject any forged bounces
from those users. This means that participating users need not see any
forged bounces.
(Although this will require updating your all your user documentation,
you might even consider eventually having the default setting for all
new users being "protected.)
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com