[Mimedefang] Deadline for SPF records

Cor Bosman cor at xs4all.nl
Tue Aug 10 12:14:26 EDT 2004 

> > > Let's say that the SPF record for futuresource.com says that the
> > > allowed relay is mail.futuresource.com. This means that mail coming
> > > from mail.futuresource.com (as the relay) is legitimate and that all
> > > other mail is likely to be forged. Now, why would
> > > mail.futuresource.com allow someone to spoof the envelope sender from
> > > its own domain? For example, my mail server has been configured to
> > > check all envelope sender addresses which are from local domains.
> > > Therefore, I can't send a message with an envelope sender of
> > > fakeusername at wiktel.com. If SPF was widely adopted, these two
> > > measures would effectively stop forgery of all wiktel.com addresses.
> >
> > Do you also check notfakeusername at hotmail.com?
> 
> If notfakeusername is a valid hotmail user, hotmail's mail server should be
> able to verify that.  If hotmail also implements SPF, you can verify that
> the mail actaully came from a hotmail server.

I mean, one of your customers (employees, whatever) sending email through
your server using validusername at hotmail.com (basically their own hotmail
account).

> > What about people sending email themselves but receiving through your MX?
> 
> SPF will allow your mail server to verify that the mail they're receiving
> is really coming from where it says it is - sort of.  Granted, Spam that
> comes from a domain not using SPF can't be verified.  But as mentioned
> before, it will stop bounces.

Sure, but if they are sending themselves (and have for years) and suddenly
people are implementing SPF and we dont list their dynamic dialup host
as a valid senderhost, their mail will be suddenly rejected.
Yeah, they could/should use our mailserver, but im just trying to say
implementing SPF has a _lot_ of side effects.

> > What about people that have access through another company with
> > one of your domains but they arent using your mailserver with
> > authentication?
> 
> You mean like an employee on the road using a hotel's ISP or at a
> wireless hotspot connecting back to your mail server to send mail
> as from your company?  _Make_ them use authentication.  Although
> as I mentioned in an earlier message, I don't know if the current
> (E)SMTP authentication encrypts the password or sends it in
> cleartext.

Plaintext, you need to use SSL. How do you 'make' them use authentication?
You dont control if they decide to use the hotspot's email smarthost, or
use software that does the delivery itself. If you publish SPF records,
then their email will be rejected. Maybe not such a big deal in your
case, but im sure we have thousands of customers emailing with our
domain name from remote locations not using our mailservers.
(say they have cable, and not DSL through us, but still have an account
with us, and they're sending email through the cable-isps email servers
or directly, using our domain as a sender domain). 

> > What about receiving email from notfakeuser at aol.com from a mailserver
> > that isnt listed as being from AOL, to a valid customer of yours?
> 
> I receive that sort of Spam mail all the time.  If they're really an AOL
> customer, they should be using an AOL mail server.

Plenty of people in this world send completely valid email through
servers not necessarily being the right 'spf' hosts for that domain.
Perhaps they shouldnt, but they do. 

As an ISP (we handle millions of emails a day), all these issues 
complicate implenting SPF quite a bit,

Cor

More information about the MIMEDefang mailing list