Firstly - my apologies for the length of this. However, as a domain owner
that supports SPF wholeheartedly, I hope that our experience with a large
Mail Service Provider will prevent other mail service providers from
undermining the benefits that SPF has to offer both them and their users.
We became aware of SPF a year ago and felt that this presented us with an
excellent mechanism whereby we could protect both ourselves and others in
our industry from the negative impact of mass-mailed viruses forging our
domain as the sender, which happened with monotonous regularity on a global
scale.
Our SPF record was published with the invaluable assistance of a member of
your volunteer support team after we hit problems with the one that had been
published for us, which was incomplete and contained syntax errors. In
common with many small companies using shared web/mail servers our SPF
record could only achieve a Neutral result. Although this was less assertive
than we would have liked for mail delivery purposes, it was based on an
honest assessment of our infrastructure and we were not prepared to indulge
in deceit simply to give it the convenience of a SPF Pass. We also felt that
it's real value to everyone lay less in the handful of IP's that are
authorised to send mail for our domain, but more significantly in the
millions of other IP's that are explicitly excluded from doing so.
However, as soon as this record was published a Mail Service Provider in
Poland, Interia.pl and Poczta.fm started rejecting mail from our authorised
mail servers with the following:
Recipient address rejected: SPF policy: SOFTFAIL [ wyslij ten list przez
wlasciwy dla Twojejdomeny serwer pocztowy / please send this message through
an authorized mailserver].
Our service is heavily dependent on successful e-mail delivery to new and
existing subscribers. Since they were blocking e-mail from our domain on the
basis of our SPF record, we had no option but to manually resend mail to
their users, from an e-mail address provided by our ISP that is not
protected by an SPF record, whilst we attempted to resolve this matter with
them. However, they never felt inclined to respond to our efforts to contact
them and after 11 months, we were left with no alternative but to block any
further access to our service by their users. We persevered for this long
because we appreciated that language difficulties might prevent them from
understanding/responding to our enquiries. In addition, we felt it was
entirely possible that they may not be prepared to respond to an enquiry
from one domain concerning mail delivery issues affecting another, with no
way of establishing a link between the two.
We tried asking users that were affected by this to contact their provider
on the basis that they at least spoke the same language and had an existing
relationship (of sorts). However, this achieved nothing. More recently we
have moved to a different mail service provider, which enabled us, for the
first time, to obtain a SPF Pass and we therefore made a final attempt to
contact them from our own domain. When this was ignored, we decided to call
it a day - apart from the fact that it was not achieving anything, we
objected on principal to making our new service provider pick up the tab for
resending mail to their users.
This decision was reinforced by information received from someone with the
benefit of local knowledge, which indicated that interia.pl/poczta.fm have a
poor reputation locally and that many private and academic networks simply
block incoming mail from their servers. Nevertheless, Interia.pl is operated
by a popular local radio station and in 2005, was the 4th largest mail
service provider in Poland - this market dominance therefore means that they
have a greater responsibility to get it right.
When it was suggested that this e-mail rejection might be due to "local
policy" abusing SPF, another ISP in Poland invited us to test our e-mail
against their own "strict" SPF checks. These were also rejected on the basis
of a Neutral SPF result. However, mail sent from an address without an SPF
record was delivered successfully.
In all the non-technical documentation I have read on SPF, I can find no
recommendation to reject mail on the basis of a neutral SPF result but
rather to treat it as if it had no SPF record. Logically, therefore, any
Internet/Mail Service provider that chooses to reject mail on the basis of a
neutral SPF result should also reject mail from domains with no SPF record.
To do otherwise can only serve to penalise responsible domain owners who are
at least aware of the problem + making the effort to become part of the
solution. By the law of unintended consequences it also plays directly into
the hands of spammers and other criminal elements who can safely exploit
this loophole by sending mail from their own domains and then claim that
they were the victims of domain name forgery, with no SPF record to prove
otherwise. For the end user this can only result in more spam/phishing mails
and less prospect of them receiving legitimate e-mail.
If all Internet/Mail Service providers adopted the same policy as
Interia.pl, many small companies like ourselves without the budget to
operate dedicated web servers, would be faced with the choice of abandoning
their SPF record simply to get their mail delivered, or publishing a more
assertive record than their infrastructure warranted, to obtain a SPF Pass.
Since the latter approach carries the risk of legal liability for any e-mail
covered by that record, the safest approach would be to abandon their SPF
record altogether.
So, for any Internet/Mail Service Provider considering a similar approach to
that of Interia.pl/Poczta.fm - please think carefully about the
consequences. If you want to benefit from SPF - don't make it impossible for
small companies to co-operate with you.
If anyone is able to translate this into Polish, please feel free to forward
it onto the respective postmaster addresses of interia.pl/poczta.fm.
Thank you for reading this.
Claire
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com