At 10:17 15/07/2005, Craig Humphrey wrote:
Reading through all of that, you have to wonder if SPF isn't creating more problems than it solves. Juha
But that's what constraints are all about... It's very hard to increase restrictions without increasing complexity, just ask the security industry.
I subscribe to one of the spf mailing lists (http://archives.listbox.com/spf-help/current/) and it's showing just how hard it is for a lot of IT/ISP teams to get a grip on it.
The biggest headache for users, is that they will need to use the right email address in the FROM: field and then the one they want everyone to send to in the REPLY-TO: field, otherwise anyone who had multiple (ISP) email address, but only sends via a single smtp server (e.g. their current ISP).
I'm a classic example, I'm using craig dot humphrey dot work at paradise dot net dot nz for this list, while I'm at work, but because Paradise wont let me send email via their smtp server, unless I'm directly connected to their network [e.g. dial-up, jetstream, etc], I have to send via the ISP I'm currently connected to.
Do paradise not allow the use of SMTP auth ? To be honest I can only ever see SPF becoming a viable solution if everybody who uses their email address in a "roaming" fashion uses SMTP auth. We've provided SMTP auth for a couple of years now, and it helps solve a lot of problems. The classic ones being users switching back and forth between GPRS/Mobile Jetstream and a normal dialup on a laptop, and also using their email address from Jetstream with another ISP (often when they take their computer into work) enabling SMTP auth and using our smtp server solves all those problems in one stroke.
Which is even more interesting, since it's Global-Gateway. Fortunately, Xtra's smtp server is happy to "relay" for us, but if Xtra ever change their spf record from ?all to -all, I'm poked. I don't have a user at xtra dot co dot nz address to use in the from field.
My brain might not be fully engaged yet this morning, but what does xtra's SPF records have to do with you sending using a paradise email address ? Surely its paradise adding an spf record that would cause you problems relaying through xtra's mail server ?
ISP's are going to need to open their smtp servers up to authenticated relaying from outside their networks.
Yep. If you do a survey of various ISP's SMTP servers, you'll see that quite a number support it now, (with a few notable big name exceptions :) and regardless of whether SPF gets adopted I hope all ISP's see the light and start moving towards providing SMTP auth.... certainly they shouldn't start publishing strict SPF records without SMTP auth as a lot of their customers will get left out in the cold with no way to send their email reliably... Regards, Simon