Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?

Top Page
Delete this message
Reply to this message
Author: J Yunke
Date:  
To: Suresh Ramasubramanian
CC: exim-users
Subject: Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?
> Which large freemail provider is actually checking against spf
> records, as opposed to just publishing them, which is what us
> (mail.com) and to my knowledge AOL and a few other ISPs, are doing?


I used that as a common example.

However, I know Microsoft has somewhat implemented their Caller-ID plan,
which is similar to SPF with the biggest technical differences being an
XML format and its location within DNS:

> host -t txt _ep.hotmail.com

_ep.hotmail.com text "<ep xmlns='http://ms.net/1'
testing='true'><out><m><indirect>list1._ep.hotmail.com</indirect><indirect>list2._ep.hotmail.com</indirect><indirect>list3._ep.hotmail.com</indirect></m></out></ep>"

Hotmail is owned by Microsoft, and if Caller-ID passes the beta phase (a
flag in the message above implies a 'testing' state), it will have similar
functionality as SPF.

Note that Caller-ID doesn't imply DomainKeys, which was mentioned in that
big press release involving Microsoft, Yahoo, Sendmail, et al.

By the way, thanks to everyone who has given criticism (both technical and
emotional) toward my idea of rewriting the Reply-to. I confess I still
don't quite understand what the general problem is with ISPs and e-mail
providers being held *responsible* for which servers are designated to
send e-mail on behalf of their domain. I agree that:

#1. Forwards breaking sucks and will result in added effort by all and
even increased support calls.

#2. Spammers can just register throw-away domains, publish SPF/Caller-ID
records, and everyone's happy.

#3. SPF is not perfect. Caller ID is not perfect. DomainKeys is not
perfect.

However, in running elists.org (a mailing list service for Borland Delphi
programmers), I have seen a substantial drop in abuse for several SPAM
messages that aren't caught by SpamAssassin (with some tweaks for
improvement). I have had zero announced complaints. The purpose of my
message was twofold:

#1. Ask for thoughts on a technical solution to handle forwards
differently.

#2. Inform Exim users, whom I respect, that your "domain in the middle"
might be affected by the source and destination's adoption of SPF.
Regardless of your political/technical argument, you could be affected.

I have heard arguments from other sources against the use of SPF, and it
does not fall on deaf ears. At this point, I have personally seen value,
lack of complaints from my users, and will keep it implemented.

Thanks again. :) When a discussion gets political, tone of voice is
often lost or construed as foul, so I encourage civility as this
discussion does (or doesn't) continue.

-- Justin