On 12/21/2011 11:24 PM, Richard Damon wrote:
On 12/18/11 5:40 PM, Reindl Harald wrote:
Am 18.12.2011 23:33, schrieb Steve Fatula:
Or, allow people to spoof if they wish for some "valid" reasons.
there is no valid reason these days
on SPF enabled domains it must not happen
who the **** configures smtp-servers to allow foreign sender-domains?
so normally should allow this senders and the only conclusion get
incoming mails with own domains are stupid users or spammers
I can see a very good and common use case for this (If I am
understanding the situation being described).
Let us say that I subscribe to internet access with example.net, and
generally send my email out through them. Let us also say that I help
out at a small non-profit which has the domain example.org. Example.org
is a small organization, and its internet appearance is on a minimal
shared hosting account, for incoming email various addr...@example.org
email address are set to forward to those individuals personal email
accounts at their ISPs. It does not have a dedicated outgoing EMail server.
If I want to send out an email, to be sent as a member of example.org
and using an example.org email address, my only option is to send it out
via example.net (as that is my outgoing email service). This is a very
real need, and I suspect that if you checked, there are likely a large
number of domains that fall into this problem. They just need to be low
enough volume to not need a full commercial hosting package, but just
big enough that the email package the limited capabilities of a
"personal" hosting package is insufficient to be shared by the users.
(The issue is that everyone often shares the SMTP account password,
which is sometimes linked to an incoming account email password)
I also have one web hosting provider that basically does NOT provide
outgoing SMTP service, they specifically state that they expect you to
be using your ISPs SMTP server to be sending out your email. (They do
provide a very throttled outgoing SMTP server if you really need it).
In this environment, for an ISP to say that your outgoing emails must be
from "their" domain, would be unacceptable, and cause a loss of business.
example.net does need to do enough tracking so that if an abuse claim is
receive, they can determine who is responsible for the abuse, but
limiting the To field to be just m...@example.net is not needed. Yes,
example.org can't use DKIM to protect its outgoing messages, and SPF
would be difficult and slightly ineffective (having to get the
information from all their members to figure out what all the possible
sender domains would be), but if they are a small organization, they may
not be that worried about impersonation.
Now, if an organization provides outgoing SMTP and outgoing webmail (for
times when their users can't get to a real email client, but just have
vanilla web access), than they could say that if an email comes from the
outside world claiming to be from them is likely a spoof and rejectable.
We've had the same issues. One was a service that was offered by Adobe.
It sent info to our clients using our email addresses. I had to remove
SPF records from our domain as they had none I could import. Try telling
Adobe something if you want to talk to a brick wall. Another is an
online payment system. It sends our invoices using our email address.
Fortunately, they do have a SPF record we can import. We have clients
with the same issues with things like online reservation systems.
To me, SPF is great but the world (translated as stupid email admins)
has not yet figured it out in too many instances. Some dummy sees that
they can do spam filtering and block on SPF in some GUI and it 'seems'
to work. Email still comes through, more 'ass'umed spam is blocked. Then
I find they have a gateway and then run the same checks on the
mailserver which blocks since the email looks to be spoofed as it came
in from their gateway! Try explaining to an end user why their email
can't get through from their SPF enabled domain when it can from some
other email service. They just want their email to get there and it is
very important to them.
One thing about email. There are NO hard rules beyond the RFCs and even
those are badly abused on many fronts these days. Exceptions abound!
--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions
