Narcis Garcia <informatica@???> wrote:

> 1. SPF is a friendlier solution and enough for this.

SPF breaks mailing lists and mail forwarders - and this is NOT (IMO) fixable without introducing a wide open front gate for spammers to ride through and completely bypass SPF.

So consider that *I* publish an SPF record for my domain(s). If I post on a mailing list then I need to include the IP address of the list server in my SPF record - if I don't, then any MX that checks SPF will reject the message. I need to keep the SPF record up to date whenever ANY of the mailers used by ANY of the lists I'm subscribed to changes.

Now, with my own mail server, it might just be practical to do that. If you use a hosted service such as hotmail, Gmail, ... then it isn't going to happen.

To work around that, the mail list must either be configured to munge the sender address - ugly and breaks traditional usage - or they must use SRS.

SRS is the wide open gate I referred to. It basically (AIUI) tells a downstream MX "I am relaying this on behalf of X, but for SPF purposes treat it as having come from me".
So all a spammer has to do is send out his spam with the right "looks like SRS" from address and you've bypassed SPF - AFAICS for ANY sender domain !


AFAICS, with SPF/DKIM/DMARC/whatever they come up with tomorrow they seem to be laying gaffer tape on gaffer tape trying to fix something that's fundamentally broken and which they keep breaking even worse with each layer of gaffer tape. And what's more, it seems that most outfits using all this gaffer tape are taping over problems in their own systems - if they didn't accept message they know they won't be delivering, then half the problem would disappear !