[Mimedefang] Deadline for SPF records

Dave Williss dwilliss at microimages.com
Tue Aug 10 10:12:38 EDT 2004


----- Original Message ----- 
From: "Cor Bosman" <cor at xs4all.nl>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, August 10, 2004 4:06 AM
Subject: Re: [Mimedefang] Deadline for SPF records


> > Let's say that the SPF record for futuresource.com says that the
> > allowed relay is mail.futuresource.com. This means that mail coming
> > from mail.futuresource.com (as the relay) is legitimate and that all
> > other mail is likely to be forged. Now, why would
> > mail.futuresource.com allow someone to spoof the envelope sender from
> > its own domain? For example, my mail server has been configured to
> > check all envelope sender addresses which are from local domains.
> > Therefore, I can't send a message with an envelope sender of
> > fakeusername at wiktel.com. If SPF was widely adopted, these two
> > measures would effectively stop forgery of all wiktel.com addresses.
>
> Do you also check notfakeusername at hotmail.com?

If notfakeusername is a valid hotmail user, hotmail's mail server should be
able to verify that.  If hotmail also implements SPF, you can verify that
the mail actaully came from a hotmail server.

> What about people sending email themselves but receiving through your MX?

SPF will allow your mail server to verify that the mail they're receiving
is really coming from where it says it is - sort of.  Granted, Spam that
comes from a domain not using SPF can't be verified.  But as mentioned
before, it will stop bounces.

> What about people that have access through another company with
> one of your domains but they arent using your mailserver with
> authentication?

You mean like an employee on the road using a hotel's ISP or at a
wireless hotspot connecting back to your mail server to send mail
as from your company?  _Make_ them use authentication.  Although
as I mentioned in an earlier message, I don't know if the current
(E)SMTP authentication encrypts the password or sends it in
cleartext.

> What about receiving email from notfakeuser at aol.com from a mailserver
> that isnt listed as being from AOL, to a valid customer of yours?

I receive that sort of Spam mail all the time.  If they're really an AOL
customer, they should be using an AOL mail server.




More information about the MIMEDefang mailing list