spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Fwd: I am not spam! OK, so i am not much better. :(

2006-06-10 07:09:17
On Saturday 10 June 2006 07:03, paddy wrote:
On Fri, Jun 09, 2006 at 03:08:45PM -0700, 
Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com wrote:

Yahoo mail or Windows Live mail (nee Hotmail) or GMail are all free, and
the WebMail plugin for Thunderbird works with all of them.

Granted that is the reason why there is little point in using your ISP as
the default option, but if Andy is using this for business, as he
seems to say, then having his own domain would likely make sense.

Yes.  In most business branding is important.  It's one of the reasons as a 
VERY small business (one person) I have my own domain name.

It would be nice to be able to point to one of a few simple "best practice"
or "case study" pages, you know "home user", "small business" ... where
the ins and outs of a setup and it's rationale and requirements are laid
out, so that it would be easy to reply to Andy saying "take a look at
this, you likely want to be travelling in that direction".

Some work was done on that a year or two ago.  John Pinkerton still has most 
(if not all) of what he did online even though he's not active in the project 
at the moment:

http://spf.idimo.com/home.html

I couldn't find it based on a quick look, but I recall there being some draft 
best practices there.  On a more general note, since John isn't active in the 
project, it might be useful for someone with some spare time (i.e. not me) to 
go through his site and see if there are any issues there that are not well 
represented in the new web site.

The challenge is that, unless you want to run your own dedicated mail server, 
small businesses are in a bit of a bind with respect to SPF.  Unless you are 
a business big enough to have dedicated staff, are in the e-mail business, or 
are prepared to spend a disproportionate amount of time maintaining and 
monitoring a mail server, it just isn't practical for a small business to run 
dedicated servers.

If you use a shared server today there are risks as described in RFC 4408:

http://new.openspf.org/svn/project/specs/rfc4408.html#cross-user-forgery

As far as I know, no commercial provider that allows you to use your own 
domain prevents customers from using arbitrary e-mail addresses.  Or, put 
differently, which commercial e-mail providers allow (I'm speaking 
technically here, not by terms of service) cross-user forgery?  All of them.

That can put the little guy in a difficult position.  When initially 
publishing a record, it is often useful to start with ?all because you aren't 
sure you got it right.  So the initial record might be:

v=spf1 ?a:relay.isp.example.com ?include:mail.esp.example.net ?all

That doesn't tell us much does it.  Even at the next step it isn't terribly 
useful:

v=spf1 ?a:relay.isp.example.com ?include:mail.esp.example.net ~all

The little guy has to get to -all before his SPF record can actually be used 
for anything.  It still isn't suitable for whitelisting.

As I've mentioned before, I'm starting a service that does provide technical 
measures to prevent cross-user forgery.  The technical aspect of it isn't 
that hard.  It's the administrative burden that's a nuisance.  I have great 
hopes that this will continue to be more burden than the big guys want to 
take on for quite some time.

If cross-user forgery protections are in place, then the small guy can publish 
an SPF record that supports the full spectrum of potential uses for SPF.

v=spf1 include:strong.esp.example.net ?a:relay.isp.example.com -all

Note that this example shows the little guy authorizing mail from two 
different providers.  At one point SPF got a lot of criticism as a "plot" to 
trap senders into being stuck using only the big players.  I don't know if 
anyone still believes in that, but it's bunk in my book.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com