On Mon, 17 Aug 2009 19:38:41 you wrote: > > --On 15 May 2009 11:33:15 +1000 Richard Salts <[email protected]> wrote: > > > > > I'm not sure that SPF is such a great utility, except for whitelisting > > valid senders emails. Receiving a message from a host not listed for the > > domain isn't a good indication that the email is a forgery, as > > forwarding breaks this assumption. > > It's too late to worry about this. Already several important domains > publish spf records with "-all", and some large email providers like Google > use spf records in their spam assessments. > > You can see a list of top domains with spf "-all" records at > <http://spf-all.com/>. The litmus test is not people publishing spf records with -all, but people rejecting based on this policy. If enough people in a business start complaining about emails being rejected from a -all policy it's a simple matter for a local administrator to change it back to ?all.
> > If you're forwarding mail for your users without rewriting the sender > domain, then you should expect some of that forwarding to fail. The problem with this is that if you're forwarding the email around through too many hops the localpart on the envelope sender is eventually going to be too long to be a valid email address, especially if you're using a cryptographic hash in the envelope of the rewritten sender. Not using a hash opens you up to spammers being able to create backscatter spam through your forwarding service by forging a bounce to their rewritten sender address. > > SPF will cause some pain for the next few years, while forwarders catch up. > In the end, it'll give us a huge benefit of allowing us to assign > reputation to a sender address - before we see the body of an email. A reputation service on sender address would be great. But I don't think it's that much more helpful than the current ip based reputation services. Admittedly it's much more intuitive to end users of email, but I think most of them will probably handball the task to their email administrator, or would quickly be able to grasp the current disconnect between domain reputation and ip address reputation. > > > -- > Ian Eiloart > IT Services, University of Sussex > 01273-873148 x3148 > For new support requests, see http://www.sussex.ac.uk/its/help/ > -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
