Re: SPF Record ... - Mailing list pgsql-www

> > Since those having @postgresql.org accounts shoudl be
> limited to these
> > two lists, can anyone comment on a) is this a bad idea? and
> b) would
> > they be affected because they don't use SMTP AUTH and c) why aren't
> > you using SMTP AUTH? ...
>
> The fallacy is that proponents of SPF believe that users are
> free to choose their SMTP server.  Contrast that with the
> widely spread and generally welcome (among ISPs and
> government) practice of blocking outgoing TCP port 25 to
> address the spam-via-zombies problem (compared against SPF,
> this practice at least works), you are then left with a
> situation in which some users cannot send any email at all
> anymore because their ISP wants email to go this way and the
> domain administrator wants it to go that way.  Ultimately,
> both of these measures seriously restrict the redundancy
> feature of the internet (what if your mail server is broken?)
> and impact the privacy and self-determination of users (what
> if I don't want ISP 1 or ISP 2 to count my email?).
>
> But again, SPF doesn't stop any junk mail, so it's useless anyway.

That's a bit harsh, really. There are a lot of environments where
publishing SPF records are *not* harmful, and are *not* restricting the
user. For example, any organisation that doesn't use SMTP for mail
submission. I have 18,000 users that only everb submit email using RPC
or http. We also permit SMTP with authentication over TLS on 587 for
those few (I think there are 4 or 5 people out of the 18,000) that use
IMAP/s. Publishing SPF records for this organisation was a big win, and
it has noticably cut down the spam complaints we've received when
spammers have forged from addresses from our domains.

Another good example if this is any of the big webmail services. Hotmail
users, for example, don't get to do SMTP, so why should you accept a
message from a hotmail user that hasn't been verified as a hotmail user?

As for redundancy - if you have only one mailserver, then yes, it will
limit you. But really, does *anybody* have just one mailserver these
days? And naturally a backup relayer that runs on a different ISP.

That said, I'm not asying that it's right for postgresql.org, given that
it has the type of usage pattern that it does with a lot of
"organizationally unrelated" users that all use SMTP for submission. Use
the right tool for the job, as always...

//Magnus