On Fri, 10 Jul 2009, Michael Deutschmann wrote:
Look at it this way -- there are five kinds of practical forwarding
problem mitigation:
Crap Receiverside -- Treat all SPF results as if they were the most
permissive of the actual result and Neutral.
Elite Receiverside -- Use a forwarder whitelist to give a virtual Pass to
forwarded mail, otherwise apply actual SPF result.
Forwarderside -- Use SRS, or at least sham-SRS (changing the MAIL FROM, but
making no arrangement to relay bounces).
Crap Senderside -- Write the SPF policy to give the most permissive of the
correct result (from a G-SPF perspective) and neutral.
Elite Senderside -- Use VERP, the exists mechanism, and a magical DNS
server.
Excellent summary of correct policies. There is also, however:
Broken Receiverside -- Reject SPF fail regardless of receiver forwarding,
even when the "forwarder" is your own secondary MX (and you think it
is helping block spam because spammers tend to use secondaries first).
Unfortunately, the prevalence of Broken Receiverside is the primary
cause of Crap Senderside.
BTW, PowerDNS provides a pretty clean API for a magical authoritative-only DNS
in your choice of language.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com