On 12/18/11 5:40 PM, Reindl Harald wrote: > > Am 18.12.2011 23:33, schrieb Steve Fatula: >> Or, allow people to spoof if they wish for some "valid" reasons. > there is no valid reason these days > on SPF enabled domains it must not happen > who the fuck configures smtp-servers to allow foreign sender-domains? > > so normally should allow this senders and the only conclusion get > incoming mails with own domains are stupid users or spammers > I can see a very good and common use case for this (If I am understanding the situation being described).
Let us say that I subscribe to internet access with example.net, and generally send my email out through them. Let us also say that I help out at a small non-profit which has the domain example.org. Example.org is a small organization, and its internet appearance is on a minimal shared hosting account, for incoming email various addr...@example.org email address are set to forward to those individuals personal email accounts at their ISPs. It does not have a dedicated outgoing EMail server. If I want to send out an email, to be sent as a member of example.org and using an example.org email address, my only option is to send it out via example.net (as that is my outgoing email service). This is a very real need, and I suspect that if you checked, there are likely a large number of domains that fall into this problem. They just need to be low enough volume to not need a full commercial hosting package, but just big enough that the email package the limited capabilities of a "personal" hosting package is insufficient to be shared by the users. (The issue is that everyone often shares the SMTP account password, which is sometimes linked to an incoming account email password) I also have one web hosting provider that basically does NOT provide outgoing SMTP service, they specifically state that they expect you to be using your ISPs SMTP server to be sending out your email. (They do provide a very throttled outgoing SMTP server if you really need it). In this environment, for an ISP to say that your outgoing emails must be from "their" domain, would be unacceptable, and cause a loss of business. example.net does need to do enough tracking so that if an abuse claim is receive, they can determine who is responsible for the abuse, but limiting the To field to be just m...@example.net is not needed. Yes, example.org can't use DKIM to protect its outgoing messages, and SPF would be difficult and slightly ineffective (having to get the information from all their members to figure out what all the possible sender domains would be), but if they are a small organization, they may not be that worried about impersonation. Now, if an organization provides outgoing SMTP and outgoing webmail (for times when their users can't get to a real email client, but just have vanilla web access), than they could say that if an email comes from the outside world claiming to be from them is likely a spoof and rejectable. -- Richard Damon
