RICH@xxxxxxxxxxxxxxx wrote:
I could not find SBC's SPF record definition so stopped sending mail
using their SMTP server.
I don't understand why that would be a reason for not using it.
Okay, that out of the way, SPF is really very simple in concept. All
it does is validate that the server sending an email message is
authorized by the domain owner. That's it.
While the concept is simple, applying it requires some knowledge.
Oen thing that SPF does NOT do is stop spammers from using
"throw-away" domains. For example, spammer JOE wants to send spam. He
purchases "joespammer.com" and creates a free hotmail account
"joespammer@xxxxxxxxxxx". He then creates the DNS record for
joespammer.com and sets up a proper SPF entry to allow sending via
hotmail.
One difference compared to forged addresses is that it becomes easier to
track him. For instance, JOE probably used a credit card to pay for the
domain...
To use my own record as an example
Sending an email with a MAIL FROM of webmaster@xxxxxxxxxxxxxxx to
list@xxxxxxxxxxxx:
- I can validly send from the email server at the same address
as richardlowe.com
- I can send email from any domain or ip listed in the
spf record at sitespf.everyone.net
- Any other email server will be invalid.
- if a spammer spoofs the address and sends from hotmail's
email server, then it will be invalid.
I have to admit, though, that the gunnar.cc server, where this list is
hosted, has not yet been configured to check for SPF. I have downloaded
some software, but have not yet taken courage to actually try it.
How does this affect ringlink?
As long as the MAIL FROM properly identifies emails as being from
richardlowe.com (in this example) all will work fine. Note that the
"From:" and "Reply-To:" fields are actually in the data portion of
the message, not the envelope. The MAIL FROM is different and
distinct.
Now, if I wanted my replies to go to "joe@xxxxxxx" and I thought that
I could do this by setting the MAIL FROM to that value, then the
message would be rejected by any anti-spam system which enforced SPF.
Why? richardlowe.com has not authorized AOL to be a sending domain.
Or rather: AOL has not authorized your mail servers by including them in
their SPF record.
To properly do this, I would ignore the MAIL FROM and use the
Reply-To: field instead.
So, I can set up a ringlink host which sends mail from my domain. The
"from:" and "reply-to:" can be anything I want (the ringmaster email
address or whatever) but the MAIL FROM value must identify my EMAIL
server (not my web server) correctly.
I'm not sure how ringlink handles this. But the way I see it:
- MAIL FROM should only be entered once, for the entire ringlink
installation.
- From: and Reply-To: can be set as desired.
Yeah, I see your point.
Currently it does not work that way if you are using the "SMTP option"
in rlconfig.pm. In that case, the MAIL FROM equals the "From:". Up to
now, I have considered that to be an important advantage, since it means
that possible bounces due to invalid ring member addresses go to the
ringmaster. As I mentioned when starting this discussion, SPF may be a
reason to reconsider that solution.
One possibility would be to make the master admin address the MAIL FROM
address in all the messages. OTOH, for those ringmasters who control
their domains, it's fully possible to include the mail server of the
Ringlink system in respective SPF record.
One thought I have is to make Ringlink check for the SPF data of the
ringmaster address, and keep letting the ringmaster address be the MAIL
FROM address, except if an SPF check would result in "fail" when sent
from the mail server of the Ringlink system. In case of the latter,
Ringlink would fall back to make the master admin address the MAIL FROM.
I don't know if that would be possible. If it would, do you think that
such a solution would make sense?
/ Gunnar