> -----Original Message----- > From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 25, 2006 3:13 PM > To: Spamassassin Users List > Subject: Re: SPF breaks email forwarding > > > > You find me a large scale installation that is actually checking, and > rejecting on, SPF records before DATA and isn't frequently rejecting > mail their users want and I'll buy you lunch.
You find me a large scale installation that is rejecting SPAM and isn't frequently rejecting mail their users want and I'll buy dinner. Lets face it: SMTP is broken, but the fixes are just compromises between allowing spam, viruses, phishing and email. Any changes to SMTP will break legitimate email. You wonder what happens if you enforce all the RFC's on email? How many large installations use 'localhost.localdomain' as the FQDN for their outbound helo? (send an email to [EMAIL PROTECTED] and see the headers!) How many large installations doesn't use ANY fqdn for RDNS, and the PTR and A records don't match? How many large installations don't have abuse@ or postmaster@ records? http://www.rfc-ignorant.org/tools/lookup.php?domain=hotmail.com http://www.rfc-ignorant.org/tools/lookup.php?domain=gmail.com http://www.rfc-ignorant.org/tools/lookup.php?domain=yahoo.com (with a bad whois record, can't they lose their yahoo.com domain :-)? Even if you enforce existing RFC's, you will drop email 'users want'. For 12 years, people have been arguing about how to fix it. If someone wants to advertise spf records, and wants to use ?all, or ~all if they are timid, more power to them. host -t txt microsoft.com microsoft.com descriptive text "v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com ~all" host -t txt hotmail.com hotmail.com descriptive text "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all" host -t txt _spf.google.com _spf.google.com descriptive text "v=spf1 ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ?all" If a bank decides that forwarding email send to clients is a bad idea, and wants to publish -all records, that's fine also. If an ISP wants to trigger additional tests for email that softfails, or block at smtp session email that hardfails, then all they are doing is taking the suggestions of the sending domain. host -t txt chase.com chase.com descriptive text "v=spf1 ip4:170.148.48.0/24 ip4:159.53.36.0/24 ip4:159.53.46.0/24 ip4:159.53.110.0/24 -all"
