-----Original Message-----
From: Julian Mehnle [mailto:julian(_at_)mehnle(_dot_)net]
Sent: 13 June 2006 22:34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Claire, thanks for sharing your experiences with us!
Much as I regret naming names in this way - I hope that it helps to disuade
mail receivers from throwing the baby out with the bathwater.
Our SPF record was published with the invaluable assistance of a
member of your volunteer support team after we hit problems
with the
one that had been published for us, which was incomplete
and contained
syntax errors.
Hear, hear! I'm sure the support team loves to hear this.
I'll forward it to them.
Please do. I subscribed to the SPF-mailing list a year ago and I am aware of
the level of support they provide to people like ourselves on top of their
day jobs and other committments. I particulary appreciated the help we
received in setting up our record, which took time and a lot of patience due
to my lack of technical knowledge and the difficulty in obtaining all of the
information required.
(By the way, thank you also for your recent testimonial,
which we have published on our website:
<http://new.openspf.org/Community/News>)
No problem - I hope it helps to persuade more people of the value of
publishing
However, as soon as [our SPF] record was published a Mail Service
Provider in Poland, Interia.pl and Poczta.fm started rejecting mail
from our authorised mail servers with the following:
Recipient address rejected: SPF policy: SOFTFAIL [ wyslij ten list
przez wlasciwy dla Twojejdomeny serwer pocztowy / please send this
message through an authorized mailserver].
Good to know it is Interia.pl and Poczta.fm (are they
affiliated?). I have heard about such problems with Polish
ISPs before but nothing as specific as this.
Yes - I originally thought we were dealing with 2 different entities.
However, on looking up their report at dnsreport.com it seemed as if they
were connected and this was confirmed by an ISP in Poland.
Why did it say "SOFTFAIL"? I assume you are aware that
SoftFail (~) is different from Neutral (?).
No idea - To add weight to our argument that they were jumping to the wrong
conclusions in respect of our record, I sent them the results of all tests
that I could carry out on this record - all of them being neutral. I hoped
that they would explain this in the fullness of time.
[...]
We tried asking users that were affected by this to contact their
provider [about this ...] [...] More recently we have moved to a
different mail service provider, which enabled us, for the
first time,
to obtain a SPF Pass and we therefore made a final attempt
to contact
them from our own domain. When this was ignored, we decided
to call it
a day - apart from the fact that it was not achieving anything, we
objected on principal to making our new service provider
pick up the
tab for resending mail to their users.
Even though you didn't succeed I think you took exactly the
right route in trying to get the issue resolved, especially
with regard to you first asking users to contact their ISP
and then your final decision to just let things rest. In
situations like yours it is important not to surrender to the
stupidity of your users' ISPs, but instead to make it very
clear to your users that it is their ISPs who are degrading
their quality of service through incorrect implementation of
technical standards.
Yes - we felt is was important to try and resolve the issue. Fortunately,
their users only made up a tiny precentage of our user-base and although it
waa time consuming, it did not overwhelm us. The difficulty in doing so was
that we had to contact them from an unrelated domain, which gave them none
of the means to authenticate us that a lookup on our own domain offers. To
anyone who has paid attention to advice on the social engineering skills
employed by virus writers/phishing scams this immediately looks (or should
look) suspicious. In addition, the e-mail address we had to use to contact
them is now in the wild without any SPF record to protect it. Statistically,
at least one of those computers will become infected and so the cycle will
perpetuate......
[...] Nevertheless, Interia.pl is operated by a popular
local radio
station and in 2005, was the 4th largest mail service provider in
Poland
- this market dominance therefore means that they have a greater
responsibility to get it right.
Agreed.
When it was suggested that this e-mail rejection might be due to
"local policy" abusing SPF, another ISP in Poland invited
us to test
our e-mail against their own "strict" SPF checks. These were also
rejected on the basis of a Neutral SPF result. However,
mail sent from
an address without an SPF record was delivered successfully.
And this other ISP in Poland wasn't responsive either?
I'm delighted to report that they were convinced by my argument and they
have promised to deal with this. The offer for us to send test mails to
their server was a spontaneous response to my posting at SPF-Help.
In all the non-technical documentation I have read on SPF,
I can find
no recommendation to reject mail on the basis of a neutral
SPF result
but rather to treat it as if it had no SPF record. Logically,
therefore, any Internet/Mail Service provider that chooses
to reject
mail on the basis of a neutral SPF result should also
reject mail from
domains with no SPF record. To do otherwise can only serve
to penalise
responsible domain owners who are at least aware of the problem +
making the effort to become part of the solution.
Your analysis is absolutely correct.
Glad to hear it.
Thanks
Claire
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com