Hello,

I am running the new version with SPF.  It is working well and blocking things already.  One problem I have is that some of our email customers have a connection other then ours and their ISP has blocked the SMTP port so the user has to setup their email to go through that ISPs email server.  The system sees them with our address and sees it coming from the other ISPs email sever and SPF of course blocks it.  For now I have put these people in the "Excluded FROM emails" list so their email will get through for now.

What would be the proper way to handle these kind of cases?

Hillard

From looking at the spf.pobox.com site I see I can put a ?all in the DNS string instead of the -all to solve the problem; however, not sure I like that method.  Or is that the only good way to allow these messages that go through another ISPs email server that are really my email clients?

Hillard

Hillard,

This is actually the single biggest problem with SPF.  AND, we all seem to have our own opinions as to the solution. 

1. For our customers that use outside connections and have static IP's, I have managed to get their ISP's to put RDNS on the IP such that I can add the ptr: directive into their SPS record.

2.For our customers that have DHCP IP's, they usually do not change often if they do not reboot their cable or dsl modem / routers so I allow them to relay through us with an allowed IP

3. For our customers that dialup through another service, FOR NOW, I am having them use our WebMail to send out.

4.  I have been kicking ideas around with Roberto on how to authenticate but this will take time because we all have so many different pop servers and some of those do not support SMTP-AUTH

This is going to cotinue to be a hassle for some time but one that I feel is worth it after seeing how well it is working.

Dan S.

Hillard,

The "?all" directive is a way to get around this issue, but it also completely defeats the purpose of SPF.  It may be better to have no SPF record at all rather than use the "?all" directive, because "?all" will always result in a "pass" response.  This might cause some receiving mail systems (not SpamFilter, but others) to place a greater degree of trust in this message, and bypass other spam checks that they would otherwise be running if an SPF "pass" response had not been received.

I am facing a situation that is similar to yours, and have chosen to NOT publish SPF records for our domains for the time-being.  We're an ASP that provides email services to our clients, and our clients utilize Internet services from dozens of ISPs across Canada and the U.S.  More than a few of these ISPs have decided to block all SMTP traffic except for traffic directed to their own SMTP server, thinking that it will help them to fight spam originating on their network.  We have to change the email configuration for our clients to use the ISPs SMTP server for outbound mail.

There are workarounds, but none of them are easy to implement (SASL, configuring all of your clients to use a port other than 25 for SMTP, etc.).  For now, I'm taking the approach of contacting ISPs and asking them to un-block port 25 for our servers.  According to the report issued by the Anti Spam Technical Aliance http://docs.yahoo.com/docs/pr/pdf/asta_soi.pdf" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://docs.yahoo.com/docs/pr/pdf/asta_soi.pdf" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://docs.yahoo.com/docs/pr/pdf/asta_soi.pdf

The funny thing is, the ISPs who have signed-on to this document are among the WORST when it comes to this indiscriminate blocking of port 25.  I still haven't found anyone at MSN who will open up port 25 traffic bound to our mail servers.  Fortunately, we do have some influence over our customers ISP choices, so unless MSN and others start to "practice what they preach," there might be a bunch of MSN accounts being cancelled in the near future.

Jim