>But you likely cannot guarantee that ALL legitimate mail from your >domain will actually be sent through your server.
You may not, but we can. Even for networks that block port 25, we have never had a problem with using an alternate SMTP port to connect and send. And for those who must send out through other mail servers, we include those in the SPF record. Note that this is not major ISPs, but standalone mail servers at a customer location. Does this require policing to make sure all mail gets send through approved servers? Yes, but in my opinion this should be part of any network/domain policy. Allowing people to send through unapproved servers is just asking for trouble... and I'm sure is what gets a domain on my SPF dummies list. Darin. ----- Original Message ----- From: "Tyran Ormond" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, December 21, 2005 11:01 AM Subject: Re: [IMail Forum] An update on SPF On 10:14 AM 12/21/2005 -0500, it would appear that Chris Anton wrote: >Joe, >SPF records serve a very good purpose: to stop other servers from >sending mail that only YOUR server should be sending... AKA forging >viruses / forging spam / forging phising. This is VERY important in >the effort to curb all the forging junk that bombards us all day long. >-Chris But you likely cannot guarantee that ALL legitimate mail from your domain will actually be sent through your server. Simple example: Telecommuting employee's home ISP blocks outgoing port 25 (there are still email clients and email servers (earlier versions of Imail for example) that won't support port 587 so saying "Just use port 587 is not a valid argument) and forces all outgoing mail to run through their server. As soon as that employee sends out a message using a work address and whether you like it or not and, more importantly, whether your SPF record reflects it or not that employee's ISP's mail server is relaying legitimate email for your domain. Now, what happens if your SPF record says that your server is the ONLY server authorized to relay mail from your domain? Your telecommuting employee's email will *always* fail any SPF test. You could solve this by including your employee's ISP server in your SPF records. No problem, unless you have multiple telecommuting employees, unless they switch ISPs, unless those same telecommuters also travel on the road and the possible headaches continue. IF you can guarantee that 100% of the legitimate mail from your domain absolutely must, will and can travel only through a server on your domain such that you can use "v=spf1 a mx -all" then SPF can be argued to be of use in validating email from your domain. If, like most, you cannot make such an absolute guarantee and use "v=spf1 a mx ~all" then, in my opinion, your SPF record does more harm than good. As the number of legitimate "v=spf1 a mx -all" records is minuscule, I don't even bother checking SPF. Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
