Jonathan Nichols wrote: > I scrapped SPF, actually. Found that certain providers, such as > T-Mobile, re-direct & intercept outbound port 25 traffic, making SPF > more of a pain in the neck. > > Example: I try to send mail to this list from a T-Mobile Hotspot > (Starbucks) - it gets kicked back because SF.net uses SPF, and my SPF > records don't show m55415454.tmodns.net in the SPF records. So what can > I do? Add all of t-mobile to my SPF records? What happens next time > something like that occurs? > > In the end it was just easier to back off of SPF for now.. maybe later..
Indeed, if you have to send mail while 'on the road', through other people's servers (bearing in mind that some providers might redirect port 25), then publishing SPF for your own domain which rejects mail from these servers is to be avoided! I've only dared end my SPF records with ~all so far (i.e. softfail), which is unlikely to cause anyone to reject mail outright. If the providers you are posting through happen to publish SPF records themself, then you could use an 'include' in your own record. e.g. I've got 'include:ntlworld.com' in mine. But this isn't very satisfactory, as you are (a) relying on SPF records which are out of your control, and (b) allowing any spammers who might also use ntlworld to spoof mail from you. You can set up your own SMTP server which listens on an alternative port (to avoid redirection of 25), and allows relaying for _authenticated_ connections, then arrange to submit _all_ your mail through it. Then your SPF record will always match. Of course it might not be practical, when 'on the road', to configure all your email clients to use authenticated SMTP through an unusual port. But all the above is concerned with publishing your _own_ SPF record. Whether or not you set up your own, I don't see why you shouldn't check other people's. If someone goes to the trouble of publishing an SPF record which specifically says "reject mail which purports to come from me, but which doesn't come from the following servers...", then rejecting such mail seems appropriate. If it really is genuine mail from them, then they'll get the bounce which usually includes an explanation of what's wrong with their SPF record. -- Clarke Brunt
