[Wylug-discuss] SPF records

Nigel Metheringham nigel.metheringham at dev.intechnology.co.uk
Tue Sep 20 09:46:21 BST 2005 

On Tue, 2005-09-20 at 09:17 +0100, Chris Davies wrote:
> Firstly, is this the right WYLUG list for this kind of question? If not, please 
> advise me and I'll try again it elsewhere.

Maybe wylug-help would be better but theres no problem with it here.

> I'm intrigued (and pleased) to see more and more companies using SPF records to 
> help authenticate/repudiate email for their domains. I already have an SPF 
> record for my own home domain and have seen the number of UCE bounces from 
> emails claiming to be from someone at roaima drop from 1000/week to virtually 
> nothing. I've also seen the number of UCE emails with fake AOL senders drop off 
> dramatically.

That latter part makes no sense.  I suppose I had better admit that I am
an extreme SPF sceptic - it looked like a reasonable idea originally,
but the flaws are too big and too inherent to make it a good thing.
Additionally its been so oversold as to make it worthless.

A better approach to the joe job problem is something like BATV/SES.

Its also been interesting watching large providers back away from SPF -
a number of major providers no longer publish SPF records, and others
have changed their records to make them effectively advisory - ie useful
only for scoring.  In fact SPF is best considered as an additional input
to a scoring system like that operated by SpamAssassin and is not safe
to reject mail on alone.


> We have a number of laptop users who can connect back to our LAN/WAN using VPN. 
> For us, there is nothing that stops these users from sending emails from their 
> work email address while *disconnected* from the VPN (e.g. while connected to 
> their home ISP), and if I were to implement a strict SPF record then such emails 
> would legitimately be considered to be from a non-authentic source - and 
> therefore perhaps fraudulent.

Allowing company email to bypass company systems is a dangerous
precedent.

> I was wondering whether anyone else had successfully addressed this problem with 
> either policy or technology, and if so, how.

The answer to this is to enforce company email passing through your mail
servers.  You should do this by having a SMTP server available to those
outside the network accepting email on the MSA port (port 587 - Mail
Submission), which should be SMTP/TLS with enforced authentication. The
use of the standard MSA port should allow connections from SMTP blocking
networks.  Personally I have my laptop always connect to the external
facing SMTP server since that means things work for me both inside and
outside the network.

	Nigel.
-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]

More information about the Wylug-discuss mailing list