On 9 Jul 2012, at 13:15, Reindl Harald wrote:
Am 09.07.2012 19:00, schrieb Bill Cole:
On 9 Jul 2012, at 11:20, Curtis Maurand wrote:
This has probably been asked in the past, but is it worth it to go
through
the contortions to set up SPF?
On the sending side, the simple answer is "YES!"
There is a more complex and nuanced answer. There's a significant
amount of misunderstanding about the benefits SPF
actually will yield (not much, for most sending domains) and about
the "contortions" required for it (again: for
most domains a pragmatic SPF setup is trivial.) If you expect
accurate SPF to make everyone always accept your
valid mail, you will be disappointed.
correct but it helps
If you expect to be able to safely use a "-all" tail on a record for
a domain
that is used on legit mail, you stand a strong chance of
disappointment
why?
(1) There are many perfectly innocent systems that allow traditional
transparent forwarding (i.e. as with aliases or .forward files) from
local addresses to arbitrary external addresses. Some domains (including
some belonging to professional and university alumni organizations) have
large numbers of users but no local delivery at all, merely acting as
forwarders without touching the envelope sender of mail they handle.
(2) There are well-meaning services (including major newspaper websites)
which send surrogate mail for their users with the users' email address
as the envelope sender.
(3) There are receiving systems that treat a SPF "hard fail" result as
an absolute or near-absolute basis for rejection of mail.
As a result, it is common for people to send to a forwarded address
unknowingly or to click a "mail this page to a friend" link on a website
and generate a situation in a final SMTP hop that cannot affirmatively
pass any SPF check (except with a simple "+all" record, which would be
pointless.)
If you want to make a stand on aspirational principles for all of your
users that transparent forwarding is bad and surrogate mail should carry
an envelope sender of the surrogate in all cases, and you are willing to
have some mail that your users want to send or to have sent on their
behalf fail, then using a "-all" tail on a SPF record might be good and
proper for your domain. The freedom to make such a quixotic stand is
uncommon for mail systems with more than a few score users.
