Okay, I finally figured out the SPF entry for my domain. I'm confident about
this one:
v=spf1 a include:sitespf.everyone.net -all
(this is the zone entry for each of my domain names)
This simply says the email server at the domain name's IP address is valid,
as is any email server listed in the SPF at sitespf.everyone.net.
I could not find SBC's SPF record definition so stopped sending mail
using their SMTP server.
----
Okay, that out of the way, SPF is really very simple in concept. All it
does is validate that the server sending an email message is authorized
by the domain owner. That's it.
Oen thing that SPF does NOT do is stop spammers from using "throw-away"
domains. For example, spammer JOE wants to send spam. He purchases
"joespammer.com"
and creates a free hotmail account "joespammer@xxxxxxxxxxx". He then creates
the DNS record for joespammer.com and sets up a proper SPF entry to allow
sending via hotmail. He has now successfully bypassed the SPF standard.
(n fact, he has actually USED the SPF standard to make his spam appear
to be legitimate.) SPF does NOT prevent this. The assumption is that a valid
HOTMAIL
user (in this example) is authorized to send via hotmail. (It's up
to hotmail to ensure that the sender is indeed authorized)
To use my own record as an example
Sending an email with a MAIL FROM of webmaster@xxxxxxxxxxxxxxx
to list@xxxxxxxxxxxx:
- I can validly send from the email server at the same address
as richardlowe.com
- I can send email from any domain or ip listed in the
spf record at sitespf.everyone.net
- Any other email server will be invalid.
- if a spammer spoofs the address and sends from hotmail's
email server, then it will be invalid.
Ah, but what's to stop a server from saying it's MY server when
it's not? The IP address is NOT part of the email message or
the envelope. The IP address is handled at a lower level of the
protocol - the TCP/IP level. Much more difficult to fake (if not
downright impossible).
How does this affect ringlink?
As long as the MAIL FROM properly identifies emails as being
from richardlowe.com (in this example) all will work fine. Note
that the "From:" and "Reply-To:" fields are actually in the data
portion of the message, not the envelope. The MAIL FROM is different
and distinct.
Now, if I wanted my replies to go to "joe@xxxxxxx" and I thought
that I could do this by setting the MAIL FROM to that value, then
the message would be rejected by any anti-spam system which enforced
SPF. Why? richardlowe.com has not authorized AOL to be a sending domain.
To properly do this, I would ignore the MAIL FROM and use the
Reply-To: field instead.
So, I can set up a ringlink host which sends mail from my domain.
The "from:" and "reply-to:" can be anything I want (the ringmaster
email address or whatever) but the MAIL FROM value must identify
my EMAIL server (not my web server) correctly.
I'm not sure how ringlink handles this. But the way I see it:
- MAIL FROM should only be entered once, for the entire ringlink
installation.
- From: and Reply-To: can be set as desired.
That's my read on it so far.
Richard
P.S. Note to Gunnar: it's not possible to own too many domain names.
--
http://richardlowe.com
http://roseworks.com