Discussion:
[nznog] SPF Uptake in New Zealand
Craig Whitmore
2005-07-14 00:25:27 UTC
Permalink
So you ask what is SPF?

SPF (Sender Permitted From) is an anti-forgery method used with SMTP which
stops people trying to send from your domain. Not designed for stopping
spam, but helps reduce the amount of spam as well (stops people sending from
other peoples domains). Spammers can add SPF records to their domains yes,
(repeat: SPF doesn't stop spam but does a good job of it) but in the future
may be improved to include trust factors (ie domain and SPF has been only
around for 2 days and its sending 1000 emails to me... strange)

There are quite a number of anti-forgery systems around at the moment, and
the main ones are SPF, Sender-ID (Microsoft) and DomainKeys (Yahoo), SPF at
the moment is the largest used worldwide. (over a million domain names
having SPF records)

The uptake in New Zealand is pretty small at the moment, but ISP's are
starting to add SPF records for their domains.

Xtra have added SPF rules for the xtra.co.nz Domain:
v=spf1 ip4:210.86.15.0/24 ?all (host -t TXT xtra.co.nz)
IHUG have added a SPF rule for ihug hosted domains to include: eg
v=spf1 include:_spf.ihug.co.nz -all (host -t TXT _spf.ihug.co.nz)

And a lot of Domains (see http://spam.co.nz/spf/working/) have started to
add SPF Rules . This list is no where complete at the moment for .NZ (or
other domainnames).

Also quite a number of NZ domains have broken SPF records for various
reasons which (if an ISP is testing for SPF will reject and cause bounces),
so its quite important to make your rules correct (see
http://www.spam.co.nz/spf/broken - This list is also quite imcomplete)

I'm not saying SPF doesn't have its problems, but the major problem (at the
moment) is forwarding emails . Ie ***@ispa.com sends email to ***@ispb.com
and it gets forwarded to ***@ispc.com. . If ***@ispc.com checks for SPF it
will fail as the ***@ispa.com email address is coming from ISP B's email
server. BUT mechanisms like SRS fix this problem. Mostly importantant is
before SPF records are set up for a domain you must know how you users are
using your domain.

So maybe you think SPF is just something kids play around with and it will
never be used for anything important and no one cares about it which is not
so as its gaining momentum like just recently the IANA just gave SPF its own
DNS RR (SPF) (see http://www.iana.org/assignments/dns-parameters) which will
be used instead of the TXT records in the future to SPF records (maybe SPF
v3 will use it only)

More information can be read at: http://www.openspf.net/ and the mailing
list and other information can be read at http://www.openspf.org/

Thanks
Craig Whitmore
www.spam.co.nz
Juha Saarinen
2005-07-14 00:38:44 UTC
Permalink
Before advocating and implementing SPF, it'd be worth admins' while to
read up on the problems of that technology.

Here's a workaround for forwarding using Exim for instance:

www.infradead.org/rpr.html

Reading through all of that, you have to wonder if SPF isn't creating
more problems than it solves.
--
Juha
Dan Clark
2005-07-14 00:42:18 UTC
Permalink
yep, I tried to implement SPF a number of times in a few different mail
systems from Postfix to Sendmail, and kinda had alot of hiccups, mostly
around false positives or loss of email etc.
I think we're going to have another look at it soon as the general level
of SPAM etc seems to be growing by the day.

--
Cheers
Dan
Post by Juha Saarinen
Before advocating and implementing SPF, it'd be worth admins' while to
read up on the problems of that technology.
www.infradead.org/rpr.html
Reading through all of that, you have to wonder if SPF isn't creating
more problems than it solves.
Steve Phillips
2005-07-14 01:01:22 UTC
Permalink
I think we're going to have another look at it soon as the general level of
SPAM etc seems to be growing by the day.
NOTE: SPF is NOT an anti-spam methodology, it is designed to add a
simplistic way to prevent forging of e-mail From: addresses. (the envelope
sender to be even more specific)

As a result, implementing SPF will NOT stop the growth of SPAM, it may
assist in reducing the number of people that get suckered in by phishing
schemes.
--
Steve.
Alastair Johnson
2005-07-14 01:13:12 UTC
Permalink
Post by Steve Phillips
Post by Dan Clark
I think we're going to have another look at it soon as the general
level of SPAM etc seems to be growing by the day.
NOTE: SPF is NOT an anti-spam methodology, it is designed to add a
simplistic way to prevent forging of e-mail From: addresses. (the
envelope sender to be even more specific)
As a result, implementing SPF will NOT stop the growth of SPAM, it may
assist in reducing the number of people that get suckered in by phishing
schemes.
It might - IF some local financial organisations adopted SPF:

$ host -t txt asb.co.nz
asb.co.nz text "ASB Bank, Auckland, NZ"
$ host -t txt asbbank.co.nz
asbbank.co.nz text "ASB Bank, Auckland, NZ"
$ host -t txt westpac.co.nz
$ host -t txt westpac.com.au
$ host -t txt nbnz.co.nz
nbnz.co.nz text "National Bank of New Zealand"
$ host -t txt kiwibak.co.nz
Host kiwibak.co.nz not found: 3(NXDOMAIN)
$ host -t txt kiwibank.co.nz
kiwibank.co.nz text "New Zealand Post Limited"

And so forth. In fact, out of a small sample of finance organisations
in NZ the only one I can find with SPF records is americanexpress (see
aexp.com).

Although it does reduce phishing from Paypal etc; but the CitiBank and
BofA and so forth phishing is unlikely to ever work in NZ because the
average NZer won't have an account with them.

SPF doesn't solve spam, though. Unauthorised "hijacking" of domains, on
the other hand, it might help reduce the occurence of.

aj
Jonathan Brewer
2005-07-14 00:47:34 UTC
Permalink
How do I know if my domain has SPF?

Try this tool:

http://www.dnsreport.com/

Under "Mail" the last row checks for SPF record.

For example

http://www.dnsreport.com/tools/dnsreport.ch?domain=orcon.co.nz
http://www.dnsreport.com/tools/dnsreport.ch?domain=araneo.net.nz

Cheers,

Jon

-----Original Message-----
From: Craig Whitmore [mailto:***@orcon.net.nz]
Sent: Thursday, 14 July 2005 12:25 p.m.
To: ***@list.waikato.ac.nz
Subject: [nznog] SPF Uptake in New Zealand


So you ask what is SPF?

SPF (Sender Permitted From) is an anti-forgery method used with SMTP which
stops people trying to send from your domain. Not designed for stopping
spam, but helps reduce the amount of spam as well (stops people sending from

other peoples domains). Spammers can add SPF records to their domains yes,
(repeat: SPF doesn't stop spam but does a good job of it) but in the future

may be improved to include trust factors (ie domain and SPF has been only
around for 2 days and its sending 1000 emails to me... strange)

There are quite a number of anti-forgery systems around at the moment, and
the main ones are SPF, Sender-ID (Microsoft) and DomainKeys (Yahoo), SPF at
the moment is the largest used worldwide. (over a million domain names
having SPF records)

The uptake in New Zealand is pretty small at the moment, but ISP's are
starting to add SPF records for their domains.

Xtra have added SPF rules for the xtra.co.nz Domain:
v=spf1 ip4:210.86.15.0/24 ?all (host -t TXT xtra.co.nz)
IHUG have added a SPF rule for ihug hosted domains to include: eg
v=spf1 include:_spf.ihug.co.nz -all (host -t TXT _spf.ihug.co.nz)

And a lot of Domains (see http://spam.co.nz/spf/working/) have started to
add SPF Rules . This list is no where complete at the moment for .NZ (or
other domainnames).

Also quite a number of NZ domains have broken SPF records for various
reasons which (if an ISP is testing for SPF will reject and cause bounces),
so its quite important to make your rules correct (see
http://www.spam.co.nz/spf/broken - This list is also quite imcomplete)

I'm not saying SPF doesn't have its problems, but the major problem (at the
moment) is forwarding emails . Ie ***@ispa.com sends email to ***@ispb.com

and it gets forwarded to ***@ispc.com. . If ***@ispc.com checks for SPF it

will fail as the ***@ispa.com email address is coming from ISP B's email
server. BUT mechanisms like SRS fix this problem. Mostly importantant is
before SPF records are set up for a domain you must know how you users are
using your domain.

So maybe you think SPF is just something kids play around with and it will
never be used for anything important and no one cares about it which is not
so as its gaining momentum like just recently the IANA just gave SPF its own

DNS RR (SPF) (see http://www.iana.org/assignments/dns-parameters) which will

be used instead of the TXT records in the future to SPF records (maybe SPF
v3 will use it only)

More information can be read at: http://www.openspf.net/ and the mailing
list and other information can be read at http://www.openspf.org/

Thanks
Craig Whitmore
www.spam.co.nz
Mark Karena
2005-07-14 01:15:54 UTC
Permalink
Post by Steve Phillips
As a result, implementing SPF will NOT stop the growth of SPAM, it may
assist in reducing the number of people that get suckered in by phishing
schemes.
Or reduce the number of calls from clients asking why you sent them an
_email_ telling them that their _email_ account has been disabled.....



-----Original Message-----
From: Steve Phillips [mailto:***@focb.co.nz]
Sent: Thursday, 14 July 2005 1:01 p.m.
To: ***@list.waikato.ac.nz
Subject: Re: [nznog] SPF Uptake in New Zealand
Post by Steve Phillips
I think we're going to have another look at it soon as the general level
of
Post by Steve Phillips
SPAM etc seems to be growing by the day.
NOTE: SPF is NOT an anti-spam methodology, it is designed to add a
simplistic way to prevent forging of e-mail From: addresses. (the envelope
sender to be even more specific)

As a result, implementing SPF will NOT stop the growth of SPAM, it may
assist in reducing the number of people that get suckered in by phishing
schemes.
--
Steve.
Nic Wise
2005-07-14 01:42:23 UTC
Permalink
Hey folks,

Noone has mentioned building the SPF strings :) I found this a while
back:

http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx

It's a nice little (online) wizard from MS, which allows you to build
the string without having to work out a geekcode-look-alike. AFAIK, they
don't store info - just show you the SPF for what you enter.

No comment on how effective SPF might be, but the wizard is handy if you
don't wanna work out the syntax :)

Cheers.

Nic, off to add the TXT record to his domains.
--
Nic Wise - Senior Developer - Microsoft MVP (.NET)
AfterMail Limited.
t. +64.21.676.418 w. http://www.aftermail.com/
e. ***@aftermail.com b. http://www.fastchicken.co.nz/blog/
Juha Saarinen
2005-07-14 01:50:43 UTC
Permalink
Post by Nic Wise
Hey folks,
Noone has mentioned building the SPF strings :) I found this a while
http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx
It's a nice little (online) wizard from MS, which allows you to build
the string without having to work out a geekcode-look-alike. AFAIK, they
don't store info - just show you the SPF for what you enter.
Microsoft pwns SPFv1 and calls it SenderID.

A tip on the Spamtools list said to bear in mind that it's mostly
spammers and bulkers who publish such records. Therefore, rejecting mail
based on the existence of the records might indeed be useful.
--
Juha
Craig Whitmore
2005-07-14 02:02:38 UTC
Permalink
Post by Juha Saarinen
Microsoft pwns SPFv1 and calls it SenderID.
A tip on the Spamtools list said to bear in mind that it's mostly spammers
and bulkers who publish such records. Therefore, rejecting mail based on
the existence of the records might indeed be useful.
You should only reject on SPF if the rule says so. Yes alot of spammers have
set up SPF records.. but SPF is not designed for Stopping Spam.

Xtra have only set "v=spf1 ip4:210.86.15.0/24 ?all" instead of "v=spf1
ip4:210.86.15.0/24 -all"
The existing record will make the result neutral (tested for SPF but still
allowed to come in) instead of fail for people testing for it.
If they set "v=spf1 ip4:210.86.15.0/24 -all" then some mail (for example
that trademe.co.nz sends out) would get rejected as it would be coming from
the wrong place

Thanks
Craig
Craig Whitmore
2005-07-14 02:11:07 UTC
Permalink
Post by Craig Whitmore
If they set "v=spf1 ip4:210.86.15.0/24 -all" then some mail (for example
that trademe.co.nz sends out) would get rejected as it would be coming
from the wrong place
This was a little unclear what I said . trademe.co.nz sends out emails
sometimes from the email address of the trademe user. If a user has email
address of ***@xtra.co.nz it will send from that address from trademe
mail server. and if tested for SPF with a -all will fail and get rejected.

Thanks
Craig
Hadley Rich
2005-07-14 02:17:26 UTC
Permalink
Post by Craig Whitmore
If they set "v=spf1 ip4:210.86.15.0/24 -all" then some mail (for example
that trademe.co.nz sends out) would get rejected as it would be coming
from the wrong place
This was a little unclear what I said .   trademe.co.nz sends out emails
sometimes from the email address of the trademe  user. If a user has email
mail server. and if tested for SPF with a -all will fail and get rejected.
Shouldn't the '-all' you are talking about be '~all'?

Also to fix their problem trademe should possibly be sending mail with the
Reply-to set to the users email and the
Craig Whitmore
2005-07-14 01:54:51 UTC
Permalink
Post by Nic Wise
Noone has mentioned building the SPF strings :) I found this a while
http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx
It's a nice little (online) wizard from MS, which allows you to build
the string without having to work out a geekcode-look-alike. AFAIK, they
don't store info - just show you the SPF for what you enter.
Be carefull. Sender-ID is not SPF.. Microsoft took SPF and added some
changes to it (which alot of people in the SPF "community" think make it
worse than simple SPF by itself.).
Sender-ID has their own records (see nslookup -type=txt spam.co.nz). but
will use the SPF records if there is no SenderID record (spf2.0) and this
may make Sender-ID give false possitives at rare times. (the reusage of
Microsoft of the SPF tag is what SPF people don't like), but when everyone
starts using the new RR of "SPF" instead of TXT for SPF., microsoft can do
what they want, as it was given for SPF not Sender-ID).

Thanks
Craig
Juha Saarinen
2005-07-14 02:02:29 UTC
Permalink
Post by Craig Whitmore
Be carefull. Sender-ID is not SPF.. Microsoft took SPF and added some
changes to it (which alot of people in the SPF "community" think make it
worse than simple SPF by itself.).
Sender-ID has their own records (see nslookup -type=txt spam.co.nz). but
will use the SPF records if there is no SenderID record (spf2.0) and
this may make Sender-ID give false possitives at rare times. (the
reusage of Microsoft of the SPF tag is what SPF people don't like), but
when everyone starts using the new RR of "SPF" instead of TXT for SPF.,
microsoft can do what they want, as it was given for SPF not Sender-ID).
$ host -t txt spam.co.nz
spam.co.nz descriptive text "v=spf1 ip4:219.88.242.0/27 -all"
spam.co.nz descriptive text "spf2.0/pra ip4:219.88.242.0/27 -all"
spam.co.nz descriptive text "Professional DNS Management by Orcon Internet"

$ host -t txt microsoft.co.nz
{nothing}

$ host -t txt microsoft.com
microsoft.com descriptive text "v=spf1 mx redirect=_spf.microsoft.com"

$ host -t txt _spf.microsoft.com
_spf.microsoft.com descriptive text "v=spf1 ip4:213.199.128.139
ip4:213.199.128.145 ip4:207.46.50.72 ip4:207.46.50.82 ip4:131.107.3.116
ip4:131.107.3.117 ip4:131.107.3.100 ip4:131.107.3.108
a:delivery.pens.microsoft.com a:mh.microsoft.m0.net mx:microsoft.com ?all"


Humm...
--
Juha
Drew Broadley
2005-07-14 01:44:24 UTC
Permalink
Post by Nic Wise
Noone has mentioned building the SPF strings :) I found this a while
http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx
There is wizard on one of the one links posted by Craig.

http://spf.pobox.com/ , http://www.openspf.net/ (some thing)

The wizard is on the top left, where it says to enter your domain.

- Drew
Simon Allard
2005-07-14 02:21:32 UTC
Permalink
Post by Craig Whitmore
Post by Craig Whitmore
If they set "v=spf1 ip4:210.86.15.0/24 -all" then some mail (for
example
Post by Craig Whitmore
Post by Craig Whitmore
that trademe.co.nz sends out) would get rejected as it would be
coming
Post by Craig Whitmore
Post by Craig Whitmore
from the wrong place
This was a little unclear what I said . trademe.co.nz sends out
emails
Post by Craig Whitmore
sometimes from the email address of the trademe user. If a user has
email
trademe
Post by Craig Whitmore
mail server. and if tested for SPF with a -all will fail and get
rejected.

I can see SPF being a big learning curve to the NZ ISP customer base,
once ISP's start enforcing SPF.

We still see lots of email from customers who have an ispa email set as
their email address but are using our email server because they moved
ISP's but didn't want to change email address. I would be surprised if
any ISP's don't see this.

SPF seems like a very good idea, and will work perfectly for personal
domains, but for big ISP's, xtra/clear/ihug etc. It's going to cause a
huge influx of unhappy customers if it ever gets implemented.


- Simon
Joe Abley
2005-07-14 02:49:43 UTC
Permalink
Post by Simon Allard
SPF seems like a very good idea,
The amount of annoying mail I get from non-forged addresses is wildly
smaller than the amount of annoying mail I get from forged addresses.
Even if it became impossible to forge a from address, I'd still get a
lot of annoying mail.

SPF seems like a lot of energy directed the wrong way.


Joe
Craig Humphrey
2005-07-14 22:17:08 UTC
Permalink
Post by Juha Saarinen
Reading through all of that, you have to wonder if SPF isn't
creating more problems than it solves.
Juha
But that's what constraints are all about...
It's very hard to increase restrictions without increasing complexity, just
ask the security industry.

I subscribe to one of the spf mailing lists
(http://archives.listbox.com/spf-help/current/) and it's showing just how
hard it is for a lot of IT/ISP teams to get a grip on it.

The biggest headache for users, is that they will need to use the right
email address in the FROM: field and then the one they want everyone to send
to in the REPLY-TO: field, otherwise anyone who had multiple (ISP) email
address, but only sends via a single smtp server (e.g. their current ISP).

I'm a classic example, I'm using craig dot humphrey dot work at paradise dot
net dot nz for this list, while I'm at work, but because Paradise wont let
me send email via their smtp server, unless I'm directly connected to their
network [e.g. dial-up, jetstream, etc], I have to send via the ISP I'm
currently connected to. Which is even more interesting, since it's
Global-Gateway. Fortunately, Xtra's smtp server is happy to "relay" for us,
but if Xtra ever change their spf record from ?all to -all, I'm poked. I
don't have a user at xtra dot co dot nz address to use in the from field.

ISP's are going to need to open their smtp servers up to authenticated
relaying from outside their networks.

BTW I see that no one has mentioned that Microsoft are going to enforce spf
for Hotmail
(http://www.geek.com/news/geeknews/2005Jun/gee20050624031084.htm) if you
don't publish spf records, then your email to Hotmail will be marked as
spam.

I'm guessing that this is a precursor to enforcing it for all Microsoft
controlled domains. Though presumably they will have trouble enforcing it
for Microsoft.com, unless they're already prepping the next version of
Exchange to include spf/senderid support :)


In my opinion, SPF is not a silver bullet, but it's got the potential to
help. But it's hampered by the need for everyone to use SPF aware mail
servers and the (increasing) complexity of SPF records (the mailing list is
full of "the wizards over-simply and are often simply wrong".)

Oh and I see that MS's SenderID wizard outputs SPF v1 records, not SPF v2
which is what SenderID is supposed to be :)

Until everyone implements SPF records, Spammers using spoofed domains will
just work their way around non-SPF'ed domains. Until everyone implements
SPF aware mail servers, spammers will end up targeting users who aren't
behind SPF aware mail servers.

Just my 2c..... Nothing like a Friday morning rant... I need a V....

Later'ish
Craig
Simon Byrnand
2005-07-14 22:33:03 UTC
Permalink
Post by Craig Humphrey
Post by Juha Saarinen
Reading through all of that, you have to wonder if SPF isn't
creating more problems than it solves.
Juha
But that's what constraints are all about...
It's very hard to increase restrictions without increasing complexity, just
ask the security industry.
I subscribe to one of the spf mailing lists
(http://archives.listbox.com/spf-help/current/) and it's showing just how
hard it is for a lot of IT/ISP teams to get a grip on it.
The biggest headache for users, is that they will need to use the right
email address in the FROM: field and then the one they want everyone to send
to in the REPLY-TO: field, otherwise anyone who had multiple (ISP) email
address, but only sends via a single smtp server (e.g. their current ISP).
I'm a classic example, I'm using craig dot humphrey dot work at paradise dot
net dot nz for this list, while I'm at work, but because Paradise wont let
me send email via their smtp server, unless I'm directly connected to their
network [e.g. dial-up, jetstream, etc], I have to send via the ISP I'm
currently connected to.
Do paradise not allow the use of SMTP auth ? To be honest I can only ever
see SPF becoming a viable solution if everybody who uses their email
address in a "roaming" fashion uses SMTP auth. We've provided SMTP auth for
a couple of years now, and it helps solve a lot of problems.

The classic ones being users switching back and forth between GPRS/Mobile
Jetstream and a normal dialup on a laptop, and also using their email
address from Jetstream with another ISP (often when they take their
computer into work) enabling SMTP auth and using our smtp server solves all
those problems in one stroke.
Post by Craig Humphrey
Which is even more interesting, since it's
Global-Gateway. Fortunately, Xtra's smtp server is happy to "relay" for us,
but if Xtra ever change their spf record from ?all to -all, I'm poked. I
don't have a user at xtra dot co dot nz address to use in the from field.
My brain might not be fully engaged yet this morning, but what does xtra's
SPF records have to do with you sending using a paradise email address ?
Surely its paradise adding an spf record that would cause you problems
relaying through xtra's mail server ?
Post by Craig Humphrey
ISP's are going to need to open their smtp servers up to authenticated
relaying from outside their networks.
Yep. If you do a survey of various ISP's SMTP servers, you'll see that
quite a number support it now, (with a few notable big name exceptions :)
and regardless of whether SPF gets adopted I hope all ISP's see the light
and start moving towards providing SMTP auth.... certainly they shouldn't
start publishing strict SPF records without SMTP auth as a lot of their
customers will get left out in the cold with no way to send their email
reliably...

Regards,
Simon
Juha Saarinen
2005-07-14 22:45:11 UTC
Permalink
Post by Craig Humphrey
But that's what constraints are all about...
Creating more problems than they solve?

Good luck with explaining that (and SPF) to customers paying you to
deliver emails.
--
Juha
Drew Broadley
2005-07-14 22:26:44 UTC
Permalink
Post by Craig Humphrey
Just my 2c..... Nothing like a Friday morning rant... I need a V....
s/V/Beer/ ;)

Cheers for that summary, it's helped me get my head around SPF, which
I've flogged researching for the fear of adding False-Negatives
possibilities on-top of my current SA setup (which, incidentally, has
been flawless for a few months now).

- Drew
Craig Humphrey
2005-07-15 00:24:56 UTC
Permalink
Post by Juha Saarinen
Post by Craig Humphrey
But that's what constraints are all about...
Creating more problems than they solve?
Nearly :) It's about the steep learning curve. Once the dust settles on
SPF (and/or SenderID), the knowledge on how to set it up correctly (and
hopefully simply) will start to disseminate more quickly. At that point,
the problems start to go away.

It's not too different from the old days when just about every SMTP server
out there was happy to relay. There was a time when this was thought to be
a "Good Thing" (tm). Times have changed, and when SMTP servers stopped
relaying (well, all the responsibly maintained ones...) I wonder how many
users weren't able to send emails....
Post by Juha Saarinen
Good luck with explaining that (and SPF) to customers paying
you to deliver emails.
--
Juha
Fortunately I don't have to. We don't have customers pay us to deliver
email. We're just a firm that needs to send our own emails, do our best to
protect our users from SPAM (viri, etc) and be responsible netizins.

So I'll certainly be putting SPF records in our DNS and pressing our mail
server vendor to support SPF.

If I was working for a firm that had customers paying to us to deliver
email, then I'd probably be doing my darndest to research SPF (and probably
SenderID), learn how best use SPF to protect our clients from SPAM (at least
the domain spoofed kind) and how best to explain the ramifications of SPF to
my clients.

ISP's who relay outbound email for their clients are probably going to have
some very complex SPF records if they want it to be tight.

Later'ish
Craig
Nic Wise
2005-07-15 00:26:20 UTC
Permalink
Post by Craig Humphrey
I'm guessing that this is a precursor to enforcing it for all
Microsoft controlled domains. Though presumably they will
have trouble enforcing it for Microsoft.com, unless they're
already prepping the next version of Exchange to include
spf/senderid support :)
I'm not 100% sure, but I think I read that this is going to be in
Exchange 2003 SP2 - I think it's part of the "edge services" thing
that's in SP2.

Nic
--
Nic Wise - Senior Developer - Microsoft MVP (.NET)
AfterMail Limited.
t. +64.21.676.418 w. http://www.aftermail.com/
e. ***@aftermail.com b. http://www.fastchicken.co.nz/blog/
Craig Humphrey
2005-07-15 00:40:17 UTC
Permalink
Post by Jonathan Brewer
-----Original Message-----
[snip snip]
Post by Jonathan Brewer
Do paradise not allow the use of SMTP auth ? To be honest I
can only ever see SPF becoming a viable solution if everybody
who uses their email address in a "roaming" fashion uses SMTP
auth. We've provided SMTP auth for a couple of years now, and
it helps solve a lot of problems.
I've been testing it every so often for the last few years (I've been with
Paradise for about 5 years), but never got it working. Never took it up
with their helpdesk cause it's wasn't much of a bother. Perhaps it's time I
did....
Post by Jonathan Brewer
The classic ones being users switching back and forth between
GPRS/Mobile Jetstream and a normal dialup on a laptop, and
also using their email address from Jetstream with another
ISP (often when they take their computer into work) enabling
SMTP auth and using our smtp server solves all those problems
in one stroke.
Yeah, I have this kind of issue. Multiple email addresses with multiple
ISP's (and others like mail.com) and then switching between the office
(Global Gateway), MobileJetstream (Xtra), JetStream (Xtra) and Dial-up
(Paradise). I think Xtra are now supporting SMTP auth on a separate host
(not their normal SMTP/POP3 servers I think), but until Paradise does...
Post by Jonathan Brewer
My brain might not be fully engaged yet this morning, but
what does xtra's SPF records have to do with you sending
using a paradise email address ?
Surely its paradise adding an spf record that would cause you
problems relaying through xtra's mail server ?
Irk! Yes, you're right, since it's the domain in the MAIL FROM (SMTP
command) address that is checked.
Hmm... Reading (http://spf.pobox.com/faq.html#whichfield) suggests that the
FROM: field should not be checked.

Still, I guess it's only a matter of time before Xtra tidy up who can relay
through them.
Post by Jonathan Brewer
Yep. If you do a survey of various ISP's SMTP servers, you'll
see that quite a number support it now, (with a few notable
big name exceptions :) and regardless of whether SPF gets
adopted I hope all ISP's see the light and start moving
towards providing SMTP auth.... certainly they shouldn't
start publishing strict SPF records without SMTP auth as a
lot of their customers will get left out in the cold with no
way to send their email reliably...
Regards,
Simon
Agreed. A remarkable number aren't yet publishing SPF records at all... I
guess everyone is sitting on the fence until it's either fully ratified or
their hand is forced (e.g. Hotmail enforcing SPF).

Later'ish
Craig

Loading...