Re: SPF Record ...

Am Freitag, 17. November 2006 10:34 schrieb Magnus Hagander:
> Publishing SPF records for this organisation was a big win, and
> it has noticably cut down the spam complaints we've received when
> spammers have forged from addresses from our domains.

This is really the only thing that SPF accomplishes: It cuts down on a
particular domain/ISP being used for fake email addresses in spam.  But a
spammer can programmatically pick some other domain that does not publish SPF
records.  But note that SPF evaluates the *envelope* of the email, so this
does not really help the trustworthyness of the sender addresses perceived by
the user, and so it doesn't help phishing either.  So in the end, SPF
achieves merely a convenience for the postmaster of the ISP while providing
at best equal but usually worse service for the users.

> Another good example if this is any of the big webmail services. Hotmail
> users, for example, don't get to do SMTP, so why should you accept a
> message from a hotmail user that hasn't been verified as a hotmail user?

SPF checks the envelope sender address.  That is the address where to send
replies and bounces.  Certainly Hotmail accepts replies and bounces via SMTP.
So if some random mail server sends me mail with MAIL FROM:
<blah@hotmail.com>, that is perfectly valid and has nothing to do with
whether Hotmail users can submit new emails via SMTP or whether the message
is spam or whatever.

What you perhaps want is Sender ID or Domain Keys, which are technically more
sound solutions, although they have some of the same problems.

> As for redundancy - if you have only one mailserver, then yes, it will
> limit you. But really, does *anybody* have just one mailserver these
> days?

Sure, if you have an ISP or company that only allows you to use theirs.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/