On Sat, Dec 02, 2006 at 08:37:40AM -0800, Robert P. Thille wrote:
Bear in mind though that anyone who sends thru dyn-dns can forge
for your domain.
Oops, I may have misspoken. Your SPF record doesn't keep others who
send thru dyn-dns from forging your domain, but the local policies
and implementation at dyn-dns may prevent it. That is, the fact that
you have to authenticate to send thru dyn-dns allows dyn-dns to
restrict what domains you are allowed to use as your mail-from
(envelope-sender). However, I don't know if they in-fact make such
restrictions.
Even if every dyn-dns user can forge other dyn-dns users's domains:
With SPF you authorize a server. You don't claim authenticity of
the messages sent by such server (or any other claim on the messages).
Some people involved in SPF think it is a good idea to publish
something like: "v=spf1 ?include:outbound.mailhop.org -all"
in this case. Others, and I am one of them, disagree.
Is dyn-dns authorized to send your mail? Then it deserves a PASS.
If forgery does happen, you expect dyn-dns to react and (virtually)
kill the forger.
I'd reserve "?" for "don't know". For instance, you think you have
migrated all users to your brand new mail hub, but some people may
still be using provider "x"'s servers to send their mail. In such
a case you could "?include:x".
Whatever you do, don't publish ?include:... and ?all in the same
policy. That would be silly, as you could easily remove "?include:..."
in such a case and end up with effectively the same policy.
Be aware that if you opt to publish "?", there are implementations
that reject mail from such places. If you're not sure you want to
authorize the server, they don't want mail from it...
HTH
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735