Am 09.07.2012 20:25, schrieb Bill Cole: > On 9 Jul 2012, at 13:15, Reindl Harald wrote: >>> If you expect to be able to safely use a "-all" tail on a record for a >>> domain >>> that is used on legit mail, you stand a strong chance of disappointment >> >> why? > > (1) There are many perfectly innocent systems that allow traditional > transparent forwarding (i.e. as with aliases > or .forward files) from local addresses to arbitrary external addresses. Some > domains (including some belonging to > professional and university alumni organizations) have large numbers of users > but no local delivery at all, merely > acting as forwarders without touching the envelope sender of mail they handle.
so the user is resposible that his destination server is not rejecting mails from the forwarding server > (2) There are well-meaning services (including major newspaper websites) > which send surrogate mail for their users > with the users' email address as the envelope sender. they are doing it simply wrong > (3) There are receiving systems that treat a SPF "hard fail" result as an > absolute or near-absolute basis for > rejection of mail. sad that not all are doing this > As a result, it is common for people to send to a forwarded address > unknowingly or to click a "mail this page to a > friend" link on a website and generate a situation in a final SMTP hop that > cannot affirmatively pass any SPF check > (except with a simple "+all" record, which would be pointless.) as said: this services are doing it wrong any wbeservice MUST NOT use a random foreign domain as sender these days > If you want to make a stand on aspirational principles for all of your users > that transparent forwarding is bad and > surrogate mail should carry an envelope sender of the surrogate in all cases, > and you are willing to have some mail > that your users want to send or to have sent on their behalf fail, then using > a "-all" tail on a SPF record might > be good and proper for your domain. The freedom to make such a quixotic stand > is uncommon for mail systems with > more than a few score users. and because too many people agrue this way resulting in a lot of spam with forged envelope-senders becasue too few domains wiht SPF records
signature.asc
Description: OpenPGP digital signature
