Reading through all of that, you have to wonder if SPF isn't creating more problems than it solves. Juha
But that's what constraints are all about... It's very hard to increase restrictions without increasing complexity, just ask the security industry. I subscribe to one of the spf mailing lists (http://archives.listbox.com/spf-help/current/) and it's showing just how hard it is for a lot of IT/ISP teams to get a grip on it. The biggest headache for users, is that they will need to use the right email address in the FROM: field and then the one they want everyone to send to in the REPLY-TO: field, otherwise anyone who had multiple (ISP) email address, but only sends via a single smtp server (e.g. their current ISP). I'm a classic example, I'm using craig dot humphrey dot work at paradise dot net dot nz for this list, while I'm at work, but because Paradise wont let me send email via their smtp server, unless I'm directly connected to their network [e.g. dial-up, jetstream, etc], I have to send via the ISP I'm currently connected to. Which is even more interesting, since it's Global-Gateway. Fortunately, Xtra's smtp server is happy to "relay" for us, but if Xtra ever change their spf record from ?all to -all, I'm poked. I don't have a user at xtra dot co dot nz address to use in the from field. ISP's are going to need to open their smtp servers up to authenticated relaying from outside their networks. BTW I see that no one has mentioned that Microsoft are going to enforce spf for Hotmail (http://www.geek.com/news/geeknews/2005Jun/gee20050624031084.htm) if you don't publish spf records, then your email to Hotmail will be marked as spam. I'm guessing that this is a precursor to enforcing it for all Microsoft controlled domains. Though presumably they will have trouble enforcing it for Microsoft.com, unless they're already prepping the next version of Exchange to include spf/senderid support :) In my opinion, SPF is not a silver bullet, but it's got the potential to help. But it's hampered by the need for everyone to use SPF aware mail servers and the (increasing) complexity of SPF records (the mailing list is full of "the wizards over-simply and are often simply wrong".) Oh and I see that MS's SenderID wizard outputs SPF v1 records, not SPF v2 which is what SenderID is supposed to be :) Until everyone implements SPF records, Spammers using spoofed domains will just work their way around non-SPF'ed domains. Until everyone implements SPF aware mail servers, spammers will end up targeting users who aren't behind SPF aware mail servers. Just my 2c..... Nothing like a Friday morning rant... I need a V.... Later'ish Craig