I'd like to know when, if ever, Exim's SPF checking will advance
from "experimental" to "supported". It's been "experimental"
for years. See "
http://wiki.exim.org/SPF"
The issue is not "can I build Exim for my own server". The
question is, "can I convince a big hosting service to turn on
SPF checking". They don't want to do it until it's a standard feature.
The hosting service involved puts SPF records on all their domains
by default, and they run Exim, but they don't have SPF checking installed.
The need for SPF checking is increasing because more spam is being
sent using a phony sender address which is the same as the destination
address. That's easily caught by an SPF check. It's also easy for the
recipient, who usually controls the SPF records for their own domain,
to put up an SPF record and immediately reap the benefits. All the
forged email using the same sender and recipient immediately bounces.
What would it take to make this happen?
John Nagle
