[Wylug-discuss] SPF records

Chris Davies chris.davies at bcs.org.uk
Tue Sep 20 09:24:20 BST 2005 

Firstly, is this the right WYLUG list for this kind of question? If not, please 
advise me and I'll try again it elsewhere.

I'm intrigued (and pleased) to see more and more companies using SPF records to 
help authenticate/repudiate email for their domains. I already have an SPF 
record for my own home domain and have seen the number of UCE bounces from 
emails claiming to be from someone at roaima drop from 1000/week to virtually 
nothing. I've also seen the number of UCE emails with fake AOL senders drop off 
dramatically.

I'd like to be able to install and SPF record for the company I work for, but 
I've got some issues that need resolving before I can proceed.

We have a number of laptop users who can connect back to our LAN/WAN using VPN. 
For us, there is nothing that stops these users from sending emails from their 
work email address while *disconnected* from the VPN (e.g. while connected to 
their home ISP), and if I were to implement a strict SPF record then such emails 
would legitimately be considered to be from a non-authentic source - and 
therefore perhaps fraudulent.

We don't use Exchange (or any equivalent such as Scalix/Notify); everything is 
currently just SMTP and POP. (I know this gives no protection against someone 
inside the company trying to forge an email from another member of staff. That's 
  fortunately outside the scope of this project.)

I was wondering whether anyone else had successfully addressed this problem with 
either policy or technology, and if so, how.

I've thought about installing OpenVPN on each laptop, with a route to a solitary 
DMZ network address that accepts SMTP for relay. Coupled with a split-DNS 
approach this could work quite elegantly. I've thought about Auth SMTP or POP 
before SMTP but the logistics of either of these make my head swim. I've thought 
about simply telling staff "don't do that" and then I remembered I'm in the real 
world. For example, if you're on Freeserve/Wanadoo's network then they 
transparently proxy SMTP, so it looks like an email's been sent through our 
internal servers but actually it's been hijacked via the ISP. So users will tell 
me "but it works, so why can't I do that?"

Many thanks,
Chris
-- 
Chris Davies MBCS, chris.davies at bcs.org.uk, 07778 199069

More information about the Wylug-discuss mailing list