SPF and vger
Posted Jun 23, 2006 3:24 UTC (Fri) by SDGathman
In reply to: SPF, joe jobs, and phishing
Parent article: SPF on vger
SPF is not for everyone - that is why it is optional. However, it is a good fit for vger. The forwarding problems are caused by incorrect *checking* of SPF (neglecting to compile or check a list of non-SRS forwarders), and doesn't affect publishers unless the receiver is *really* braindead and, for example, checks SPF from behind their MX (a common first time user error).
The proposed vger application involves publishing an SPF record. The only potential forwarding issue for publishers is web greeting card type sites that don't use their own domain for the return path. This is not a problem for vger.
I have been publishing and checking SPF in production for 2 years. Most of the complaints from anti-SPF people are based on misunderstandings. For instance, the "forwarding problem" is a "doctor it hurts when I do this" problem. If you have no idea who you get forwarded mail from (even though you set them all up), then don't check SPF. Problem solved.
SRS is actually not a good solution to handle forwarders. Simply listing the forwarders is much cleaner. Listing them is easier if the forwarders publish SPF - cause then you know their IPs automatically. SRS is useful as a BATV alternative that also handles relaying.
The roaming sender problem is elegantly solved using SMTP AUTH - which has been widely available for at least 10 years.
If you publish CSV, you might as well publish SPF for your HELO names and pick up SPF checkers as well (caveat, only if HELO name is distinct from MFROM domain - an SPF namespace collision wart).
to post comments)