From: Dan Field [mailto:dan(_dot_)field(_at_)accessemedia(_dot_)com]
If I really did ask them to forward stuff to me, I'll list them.
And how about the local business who has one PC, has his
company domain name with a local hosting company but has his
e-mail forwarded to his dial-up ISP's account. There are
thousands upon thousands of these people.
Where HIS OUTBOUND email is forwarded he must ensure that
his DNS includes this in the SPF.
For INBOUND (to him Email) it is more difficult:
For instance, if he uses an email service then he
must ENSURE that the service either "resends" from
a validated (SPF) server/username.
This is the one that likely impinges on his ISP
starting to check SPF.
(who is checking) are either sent FROM
His ISP then implements SPF checking, which is perfectly
reasonable for them to do... but whenever he is sent an
e-mail from a company with a strict SPF policy, and is then
forwarded by his local hosting company he is going to have
problems isn't he?
No, not as stated but there is a problem in some case
if the forwarder doesn't rewrite (or resend) his inbound
email correctly.
For instance: I send an Email to him, and MY domain lists
-all to terminate my SPF (it does); but the forwarder just
forwards the email still FROM ME to him through his ISP
who checks.
His ISP is going to see that -all and that his forwarder
server is NOT listed and (in your example) reject the
email.
The problem is the forwarder -- and before anyone says
"but the forwarder is doing everything according to
rfc", then YES, the forwarder is NOT "broken" but it is
NOT suitable for this purpose.
He chose that forwarder and he chose that ISP. The
way to fix it AND BENEFIT from SPF is to upgrade the
forwarder. The way to avoid the problem at the ISP
is to not block.
The way for ME to avoid the problem is not to list -all.
Everyone is making a choice here and unless we choose
wisely we get what we asked for but notice that SPF
BLOCKED NOTHING.
Blocking was a choice by the ISP; -all was MY CHOICE;
and using that forwarder was HIS CHOICE.
Its all very well you saying "If I really did ask them to
forward stuff, I'll list them" when you technically know what
you are doing, but the majority of people using e-mail do not
know anything about the technicalities... if it doesn't work
they don't care that there e-mail is not working now because
of the forwarding.
True, but he effectively CHOSE to "become an email admin"
without the requisite training or interest in learning, or
even having an SMTP server of his own.
(Otherwise he can fix this fairly easily.)
But.... again it comes back to the argument about forwarding.
I know it isn't SPF that is the problem, but the problem is
there and is a major hindrance *for* SPF
Yes. It (the old forwarder etc problem) is a HINDRANCE to SPF.
Few want to block on SPF fail -- and few want to use -all since
someone MIGHT block on legitimately forwarded email.
And no one wants to receive "joe jobs" from those who could
look at the SPF record and DETERMINE it was a forgery.
My SPF record is VERY complicated for such a "small company"
because it deals with most of the issue I expect AND which
are under my control.
But the guy who sets up his own forwarder must make sure
the receiving server is going to accept that forwarding or
he must choose a forwarder that can rewrite to SPF valid
email, if he wants "all of his email."
I believe that anything less than -all is wimpy, but I
am probably going to change to neutral based on all the
confusion.
--
Herb Martin
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com