Re: [spf-discuss] Yahoo mail and Gmail policy explanation?

There is still a point, because although some ESP's may not block 
forged/non-existent domains, many mail servers do, more and more.
And more and more use SPF as an indicator toward spam (which is often 
forgery) or not.
So having an SPF record can help your domain get successful delivery.
And can help you from some forgery should it ever sneak up on you.

I am all for "do not fix something that is not broken",
but remember also that "an ounce of prevention is worth a pound of cure".
SPF may be that ounce of prevention.

Terry


Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085


On 2/10/2011 12:33 AM, Martin Jericho wrote:
> Hi Stuart,
>
> Thanks for your explanation - although I'm not convinced about the 
> reasoning.
> If Google and Yahoo just allow email from invalid domains because 
> there are too many incorrectly configured sender mail servers, 
> wouldn't the same argument mean they also just ignore SPF because 
> there are so many incorrectly configured SPF records?  From the 
> evidence I've seen they do check SPF records for real domains but just 
> let fake domains through without even marking them as spam.
> If all mail servers did the sensible thing as mentioned here: 
> http://www.openspf.org/FAQ/Blocking_spam, and all domains had SPF 
> records, spammers would indeed have a hard time. The fact that Google 
> and Yahoo allow fake domains through really makes SPF completely 
> impotent as a weapon to fight spam. In the cartoon guide 
> (http://old.openspf.org/aspen.html) this would be represented by a 
> huge bell curve called "fake domains" that dwarfs the other two and is 
> a free ticket to spammers.
> The fundamental question I'm trying to get at is:
> Should I bother setting up and maintaining SPF records if my domains 
> are not currently suffering from any forged identity problems? I would 
> do it happily if it contributed to the internet community's fight 
> against spam, but unless major email service providers close the fake 
> domain loophole, there doesn't seem to be any point.
> Cheers
> Martin
>
>
>
> ----- Original Message ----- From: "Stuart D. Gathman" 
> <stuart(_at_)bmsi(_dot_)com>
> To: <spf-discuss(_at_)listbox(_dot_)com>
> Sent: Thursday, February 10, 2011 12:31 PM
> Subject: Re: [spf-discuss] Yahoo mail and Gmail policy explanation?
>
>
> > On Thu, 10 Feb 2011, Martin Jericho wrote:
> >
> > > Neither yahoo mail nor gmail seem to reject incoming mail if there 
> > > is no DNS
> > > record at all for the envelope sender address, allowing spammers to 
> > > just use
> > > completely fake domains.
> > >
> > > Does anyone know why they might choose to have that policy? Is there 
> > > any
> > > legitimate reason for allowing incoming mail from a fake domain? It 
> > > doesn't
> > > even get blocked when you turn on the spam filter!
> > Believe it or not, there are countless clueless, but otherwise 
> > "legitimate"
> > senders who can't get basic things like HELO or MAIL FROM right (much
> > less SPF).  Our customers get such mail rejected from their customers 
> > every
> > month or so.  We immediately search the logs, find what brainless 
> > thing their
> > customer is doing, attempt to send mail to postmaster (which usually 
> > fails,
> > because they are after all clueless), and add a special "whitelist" 
> > (like
> > "accept mail from invalid domain email-clueless.com" and hope 
> > spammers don't
> > use it).
> >
> > Free email outfits like yahoo or gmail simply can't afford to offer this
> > kind of email tech support.  Their system has to be entirely self-serve.
> > Statistically routing mail to a "spam" folder is something end users
> > can handle on their own when it doesn't do what they want.  Diagnosing
> > what what idiotic thing this particular sender did, and constructing
> > a complex whitelist to work around it is not something end users can 
> > handle.
> > It is *not* as simple as "whitelist this email" when the domain is 
> > invalid
> > or forged.
> >
> > If there was a particular email, then a "Whitelist" button could run
> > heuristics to identify common sender problems and apply standard 
> > workarounds.
> > But if there was an email, then our customer would not be complaining!
> > The first problem is *finding* what random invalid domain the stupid
> > sender is trying to use in the log.  In the case of my church, for 
> > instance,
> > they simply had a typo in their MTA config for the MAIL FROM (and
> > they rewrote the MAIL FROM of all client submissions with the wrong 
> > domain).
> > If people would just send a test email to something like 
> > spf-test(_at_)openspf(_dot_)org
> > after configuring their server, things would be so much easier.
> > It would also be nice if they tested their SPF record on openspf.org
> > before publishing it.
> >
> > --
> >       Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
> >    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 
> > 591-6154
> > "Confutatis maledictis, flammis acribus addictis" - background song for
> > a Microsoft sponsored "Where do you want to go from here?" commercial.
> >
> >
> > -------------------------------------------
> > Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> > Modify Your Subscription: http://www.listbox.com/member/ 
> > [http://www.listbox.com/member/]
> > Archives: https://www.listbox.com/member/archive/735/=now
> > RSS Feed: 
> > https://www.listbox.com/member/archive/rss/735/20472388-958fad67
> > Modify Your Subscription: https://www.listbox.com/member/?&;
> > Unsubscribe Now: 
> > https://www.listbox.com/unsubscribe/?&&post_id=20110209203212:93B6D168-34B5-11E0-BF88-9E0B634668CC
> > Powered by Listbox: http://www.listbox.com 
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ 
> [http://www.listbox.com/member/]
> Archives: https://www.listbox.com/member/archive/735/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/735/1068817-8ce620fc
> Modify Your Subscription: 
> https://www.listbox.com/member/?&;
> Unsubscribe Now: 
> https://www.listbox.com/unsubscribe/?&&post_id=20110210003411:626FF0A4-34D7-11E0-8032-CB15B0C564E0
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/2183229-668e5d0d
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=2183229&id_secret=2183229-a7234b15
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=2183229&id_secret=2183229-98aa0fe6&post_id=20110210151545:A2B08054-3552-11E0-8456-1A52F559ED1D
Powered by Listbox: http://www.listbox.com