On 2005-07-05 22:03:09 -0400, Bob Dodds wrote: > That's what convinced me to go ahead and let spf issue > a deny on "fail", not on "softfail". I first started looking > for the "fail" and enforcing a deny if that was spoofing > my domains, but then I realized there isn't any harm > in enforcing deny for all domains that have spf set up. > Why would they set up spf if they didn't want us to > enforce their work? If it breaks they ought to go ahead > and fix it. If they need srs they should find out.
The ones who set up SPF and the ones who need SRS are not always the
same people. For example, we (luga.at) publish SPF records for our
domain. We run a few mailing-lists, and some of members subscribe
addresses which just forward to another address. In a couple of cases
the final target address was at a provider which enforces SPF, so the
mails were rejected.
From our perspective, the -all at the end of the luga.at SPF record is
entirely correct: All mail with a sender of <[EMAIL PROTECTED]> has to originate
at one of a few mail servers.
From the perspective of the user, however, the result (he doesn't get
his mail and is unsubscribed from the list) is not correct. He
legitimately owns both addresses and should be able to subscribe both
the the list. He would need to fix it at one of his addresses (either by
whitelisting the intermediate host at the final host or by rewriting
the sender (eg. with SRS) at the intermediate host), but may not be able
to do either.
I strongly recommend to provide user-configurable whitelists if you are
using SPF-records to reject mails.
hp
--
_ | Peter J. Holzer | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR | geeignet sind, um sich was zu merken.
| | | [EMAIL PROTECTED] |
__/ | http://www.hjp.at/ | -- Holger Lembke in dan-am
pgpGmQSNdCvwT.pgp
Description: PGP signature
