stuart at bmsi
Jun 14, 2004, 8:17 PM
Post #24 of 29
On Mon, 14 Jun 2004, Ryan Malayter wrote:
> [David Woodhouse]
> >It seems that the authors of the wizard in question would prefer to
> >encourage others to publish broken ('-all') records, and bank on the
> >fact that few people are actually dim enough to bounce mail
> >just because it gets an SPF 'fail', as you yourself observed.
> The problem is not na´ve administrators, it is poor documentation. The
> distinction between 'fail' and 'softfail' is not explained in detail anywhere
> on the main pages of the main SPF site. The only portion that describes what
> 'softfail' truly means is the draft RFC, which is dated February 2004, well
> after I used the wizard to publish my SPF records.
> In fact, many of the spf.pobox.com pages encourage sysadmins to publish
> '-all' after they have their all their users using SASL. No mention of the
> forwarding issue as it relates to '-all' can be found:
That is because the forwarding issue is the responsibility of the
mail recipient - they are the one that chooses any forwarders.
The naieve administrator is completely correct in assuming that if
no mail for that domain should ever originate except from the listed machines
(in particular if he promises never to use greeting card sites), then
he should use -all when *publishing* SPF records.
However, configuring an MTA to *check* SPF is another matter. If users in the
receiving domain use forwarders, then the administrator cannot
reject mail based solely on SPF without making some provision for
the forwarders. These provisions might include:
o whitelisting trusted forwarders
o not checking SPF for forwarders which don't implement SRS, RSR, or SUBMITTER
o if the originating address is available (via SRS, RSR, or SUBMITTER),
and is SRS or SES signed, do CBV or the yet-to-be-defined DNS equivalent to
verify the originating address.
Note that just because a forwarder has an SPF record, doesn't mean
you should trust them. In todays email world, you should only
accept forwards from MTAs which you (or your users) have actually designated
as forwarders. Otherwise, regardless of SPF, you are essentially providing
an open relay for spam via DSNs, auto-replies, etc.
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.