On 2008-12-09 at 19:37 +0200, [EMAIL PROTECTED] wrote: > I took google's blocks for my whitelist from gmail's spf. The blocks are > large: > 216.239.32.0/19 : 64.233.160.0/19 : 66.249.80.0/20 : \ > 72.14.192.0/18 : 209.85.128.0/17 : 66.102.0.0/20 : \ > 74.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 : \ > so I think that addition of new large blocks is unlikely.
It's not as unlikely as you are hoping. The address blocks basically cover a lot of Google's external IP addresses, where mail might come from if turned up as a service. You probably want to automatically check _netblocks.google.com / _spf.google.com SPF records as part of whatever build-scripts you use, if you don't want to rely upon dnswl.org. Or just do both. Myself, on my personal system I rely upon dnswl.org. It tends to be up-to-date for Gmail and I have high hopes of the situation here improving. By using a generic list like dnswl.org I don't need to special-case any big provider. I am getting strongly tempted, again on my personal systems, to turn on a hard-mandate that a message must have a verified DKIM signature if the From: address is @gmail.com and there's no sign of a mailing-list in the headers; in fact, making that apply to a number of domains including some big US banks would cut down on the amount of spam which makes it past my other checks. There's no need to wait on RFCs for DKIM sender signing policies for domains if I, as a mail-admin, choose to impose a given policy for a given remote domain -- it won't scale well, but it should do to be getting on with, until SSPs are codified. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
