![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
trixtah) wrote in ![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
dw_suggestions2010-05-20 10:36 pm
Implement SPF records for email
Title:
Implement SPF records for email
Area:
Administration
Summary:
Implment DNS SPF records to facilitate email delivery to large webmail providers
Description:
SPF is an industry standard way of guaranteeing which email servers are permitted to send mail on behalf of your domain. At present, there seems to be a perennial problem with Dreamwidth bulk email being rejected from time-to-time - the "big four" email providers (Gmail, Hotmail, Yahoo and AOL) -do- use SPF records to positively weight email spam scores in favour of bulk emailers.
Dreamwith.org sends mail from one server - it is simple to implement a DNS TXT record that reads "v=spf1 mx ~all" that will verify to any email receiver that checks SPF that your MX server is permitted to send mail on behalf of "@dreamwidth.org" senders.
It also makes the likelihood of future spammers spoofing dreamwith.org addresses in order to send mail much less.
SenderID is also a useful solution, but SPF is simple to implement and will assist with delivery of bulk email to most large email service providers.
This suggestion:
Should be implemented as-is.
27 (60.0%)
Should be implemented with changes. (please comment)
0 (0.0%)
Shouldn't be implemented.
0 (0.0%)
(I have no opinion)
17 (37.8%)
(Other: please comment)
1 (2.2%)
no subject
I hope you mean you would block mail where the first mailserver was on a home IP address. Plenty of people send mail from a home IP address, but it's incredibly rare that any good mail would be sent where the mailserver itself was on a home IP address - instead, those mails would be mostly sent through their ISP's mailserver.
I agree with blocking in the mailserver/home IP case, but not blocking everyone who just happens to send their mail from home. How on earth would you check for that, anyway?
no subject
There are blacklist providers who keep specific lists of home or dynamically-allocated IP networks that the big ISPs use which you can subscribe to, but I simply block everything with a certain kind of name from Comcast.com, RR.com and with something that looks like an IP address in the name (such as 123-456-789.crappy.isp.com). Some antispam engines allow you to block anything that's ever traversed a known-spamming network, but I'm not quite that stringent.
If places like Comcast in the US forced people to logon to their mail servers every time they sent a message (obviously you can set up the mail client to logon for you), the amount of spam that tries to come into my organisation (in Australia) would instantly drop by about 15%
My check is pretty crude - it's not the kind of thing I'd do if I were an actual email service provider - but I get rid of 70% of inbound message traffic just from that check, and have a list of less than a dozen "false positives" over the last 5 years. When you're talking getting rid of several thousand messages a day, and only having 10 or so false-positives out of literally millions of connections, I think the blunt tool can be pretty useful (if it's well-maintained).