Meng Weng Wong wrote:
> Without diving too deep into this can of worms I'd like to point out
> that rejecting mail due to SPF fails is a whole different
> ball-game-of-wax than accepting mail due to an SPF pass -- the
> limitations related to forwarding are well known, but orthogonal to
> whitelisting, which is what this thread was originally about... A
> domain whitelist (reputation) is useful whether the
> (authentication/authorization) mechanism is SPF or DKIM or PTR.
>
>


But SPF pass means nothing because if you set and kind of real
restrictions on the domain then it breaks forwarding.

What I'm proposing here requires that the domain do nothing at all
except to not send spam. It's verified RDNS for lack of a better term.
It is intrinsic to the existing system. All you have to do is check the
RDNS, look up the name returned to see if it points back to the same IP
and then do a lookup of the host name to see if the name is on a
whitelist. The ham domain has to do nothing at all. This is dirt simple
and it works. isn't it time we give up on SPF and go with something that
works?

As most people here know I try a lot of things. But if I try something
and it doesn't work then I give it up and go try something else.
Spammers can set up SPF just as easily. The only way SPF can be relied
on is if you restrict it to where is breaks forwarding. RNDS is 100%
accurate if you verify it. It requires nothing be done and the obly
thing you need to do is monitor hosts and add hosts that maintain a spam
free reputation.

Granted my list of 1500 domains isn't perfect or complete. That's
because I'm just one small company. That's why I'm throwing the idea out
there so that sharp people, like yourself quite frankly, can start with
the concept and do it right. And since this is a whitelist if some spam
sneaks through every now and then because a big bank gets a virus - so
what. White lists don't have to be as accurate as black lists because
you don't lose anything if you're wrong.

And to to throw in a new concept - this could also be used for what I
call "yellow listing" which are domain like yahoo, hotmail, gmail, aol,
etc that are mixed source senders but you never want to blacklist. This
protects them from false positives.

So Meng - come on. Give it up on SPF and do this instead because it's
easier and it actually works.