On Saturday 10 June 2006 07:03, paddy wrote:
On Fri, Jun 09, 2006 at 03:08:45PM -0700,
Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com wrote:
Yahoo mail or Windows Live mail (nee Hotmail) or GMail are all free, and
the WebMail plugin for Thunderbird works with all of them.
Granted that is the reason why there is little point in using your ISP as
the default option, but if Andy is using this for business, as he
seems to say, then having his own domain would likely make sense.
Yes. In most business branding is important. It's one of the reasons as a
VERY small business (one person) I have my own domain name.
It would be nice to be able to point to one of a few simple "best practice"
or "case study" pages, you know "home user", "small business" ... where
the ins and outs of a setup and it's rationale and requirements are laid
out, so that it would be easy to reply to Andy saying "take a look at
this, you likely want to be travelling in that direction".
Some work was done on that a year or two ago. John Pinkerton still has most
(if not all) of what he did online even though he's not active in the project
at the moment:
http://spf.idimo.com/home.html
I couldn't find it based on a quick look, but I recall there being some draft
best practices there. On a more general note, since John isn't active in the
project, it might be useful for someone with some spare time (i.e. not me) to
go through his site and see if there are any issues there that are not well
represented in the new web site.
The challenge is that, unless you want to run your own dedicated mail server,
small businesses are in a bit of a bind with respect to SPF. Unless you are
a business big enough to have dedicated staff, are in the e-mail business, or
are prepared to spend a disproportionate amount of time maintaining and
monitoring a mail server, it just isn't practical for a small business to run
dedicated servers.
If you use a shared server today there are risks as described in RFC 4408:
http://new.openspf.org/svn/project/specs/rfc4408.html#cross-user-forgery
As far as I know, no commercial provider that allows you to use your own
domain prevents customers from using arbitrary e-mail addresses. Or, put
differently, which commercial e-mail providers allow (I'm speaking
technically here, not by terms of service) cross-user forgery? All of them.
That can put the little guy in a difficult position. When initially
publishing a record, it is often useful to start with ?all because you aren't
sure you got it right. So the initial record might be:
v=spf1 ?a:relay.isp.example.com ?include:mail.esp.example.net ?all
That doesn't tell us much does it. Even at the next step it isn't terribly
useful:
v=spf1 ?a:relay.isp.example.com ?include:mail.esp.example.net ~all
The little guy has to get to -all before his SPF record can actually be used
for anything. It still isn't suitable for whitelisting.
As I've mentioned before, I'm starting a service that does provide technical
measures to prevent cross-user forgery. The technical aspect of it isn't
that hard. It's the administrative burden that's a nuisance. I have great
hopes that this will continue to be more burden than the big guys want to
take on for quite some time.
If cross-user forgery protections are in place, then the small guy can publish
an SPF record that supports the full spectrum of potential uses for SPF.
v=spf1 include:strong.esp.example.net ?a:relay.isp.example.com -all
Note that this example shows the little guy authorizing mail from two
different providers. At one point SPF got a lot of criticism as a "plot" to
trap senders into being stuck using only the big players. I don't know if
anyone still believes in that, but it's bunk in my book.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com