Mailing List Archive

On Monday, Mar 8th 2004 at 18:42 +0200, quoth Ilan Aisic:

=>A friend pointed me to:
=>
=>http://spf.pobox.com/
=>http://spf.pobox.com/wizard.html
=>
=>Before I go and implement it in my DNS, I'd like to solicit opinions about
=>it from the list.
=>
=>--ilan

It's wonderful. Also, there's a an article on SPF in the current Linux
Journal. It's one of two and it's written by the guy who created pobox.com

--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

On Monday 08 March 2004 17:42, Ilan Aisic wrote:
> A friend pointed me to:
>
> http://spf.pobox.com/
> http://spf.pobox.com/wizard.html
>
> Before I go and implement it in my DNS, I'd like to solicit opinions
> about it from the list.

AFAICS, it will be in 2.70,
http://bugzilla.spamassassin.org/show_bug.cgi?id=2143

And I would assume that they developers wouldn't have added it if it
wasn't good... :-)

Cheers,

Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC

On Mon, Mar 08, 2004 at 05:59:49PM +0100, Kjetil Kjernsmo wrote:
> AFAICS, it will be in 2.70,

3.0.0. ;)

> And I would assume that they developers wouldn't have added it if it
> wasn't good... :-)

SPF is the only anti-spoofing system that we're 100% behind actually. :)

--
Randomly Generated Tagline:
ome of the San Jose Sharks.

On Mon, 8 Mar 2004, Ilan Aisic wrote:

> Before I go and implement it in my DNS, I'd like to solicit opinions about
> it from the list.

"It can't hurt but it might not help much."

SPF is designed to solve a specific problem: Joe-jobbing, that is, the
forgery of your domain-part in the sender addresses of spam.

It specifically cannot prevent a spammer from using any domain whose DNS
is under his (legitimate or otherwise) control, on mail that is sent
through open relays/proxies, hijacked PCs, etc., because all the spammer
would need to do is advertise in his own SPF records that those locations
are allowed to send his mail.

On Mon, 2004-03-08 at 09:04, Bart Schaefer wrote:
> On Mon, 8 Mar 2004, Ilan Aisic wrote:
>
> > Before I go and implement it in my DNS, I'd like to solicit opinions about
> > it from the list.
>
> "It can't hurt but it might not help much."
>
> SPF is designed to solve a specific problem: Joe-jobbing, that is, the
> forgery of your domain-part in the sender addresses of spam.
>

True, but the more domains implement it... the more it helps.

- Jon

--
jon@tgpsolutions.com

Administrator, tgpsolutions
http://www.tgpsolutions.com

On Mon, Mar 08, 2004 at 09:04:53AM -0800, Bart Schaefer wrote:
> On Mon, 8 Mar 2004, Ilan Aisic wrote:
>
> > Before I go and implement it in my DNS, I'd like to solicit opinions about
> > it from the list.
>
> "It can't hurt but it might not help much."
>
> SPF is designed to solve a specific problem: Joe-jobbing, that is, the
> forgery of your domain-part in the sender addresses of spam.
>
> It specifically cannot prevent a spammer from using any domain whose DNS
> is under his (legitimate or otherwise) control, on mail that is sent
> through open relays/proxies, hijacked PCs, etc., because all the spammer
> would need to do is advertise in his own SPF records that those locations
> are allowed to send his mail.

Or he could simply put up no SPF records at all.

SPF adoption will be at best spotty, and if you're going to bump up
score much for SPF entirely lacking, as opposed to SPF present but
indicating the mail came from the wrong place, you'll see significant
false positives.

That said, SSC's records are ready!

--
Dan Wilder

On Mon, Mar 08, 2004 at 11:57:29AM -0500, Steven W. Orr wrote:
> On Monday, Mar 8th 2004 at 18:42 +0200, quoth Ilan Aisic:
>
> =>A friend pointed me to:
> =>
> =>http://spf.pobox.com/
> =>http://spf.pobox.com/wizard.html
> =>
> =>Before I go and implement it in my DNS, I'd like to solicit opinions about
> =>it from the list.
> =>
> =>--ilan
>
> It's wonderful. Also, there's a an article on SPF in the current Linux
> Journal. It's one of two and it's written by the guy who created pobox.com
>


I wouldn't go so far as to call it "wonderful". It breaks mailing
lists; it breaks auto-forwarders (not just free email providers, but the
standard *nix .forward and /etc/mail/aliases); it will cripple email
from mobile devices such as cell phones and PDAs, except for those
people willing to use the domain name provided by the cell provider, or
for those rare few with a phone or PDA capable of SMTP AUTH; it forces
everyone to upgrade to using SMTP AUTH enterprise-wide if you expect to
send an email from anywhere other than your desk (e.g., while
travelling, at an airport, hotel, coffeehouse hotspot, etc.)

In short, it destroys the ability to send email from anything other than
the domain name of your ISP.

(NOTE: Before anyone goes on about "?all", I'll remind you that the
ultimate goal is to have everyone advertising "-all". I'll also point
out that, though per-IP exceptions are possible, the number and length
of TXT records will put an upper limit on how much massaging you can do
in this manner.)

--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

On Mon, Mar 08, 2004 at 09:34:04AM -0800, Jonathan Tai wrote:
> On Mon, 2004-03-08 at 09:04, Bart Schaefer wrote:
> > On Mon, 8 Mar 2004, Ilan Aisic wrote:
> >
> > > Before I go and implement it in my DNS, I'd like to solicit opinions about
> > > it from the list.
> >
> > "It can't hurt but it might not help much."
> >
> > SPF is designed to solve a specific problem: Joe-jobbing, that is, the
> > forgery of your domain-part in the sender addresses of spam.
> >
>
> True, but the more domains implement it... the more it helps.
>


The more domains implement it, the more DNS spoofing attacks will
rapidly come to the fore again.

Let's not forget that SPF has yet to be vetted by the IETF.
Implementation seems to be skipping the entire technical evaluation
process.


--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

Jonathan Tai <jon@tgpsolutions.com> writes:

> On Mon, 2004-03-08 at 09:04, Bart Schaefer wrote:
>> SPF is designed to solve a specific problem: Joe-jobbing, that is, the
>> forgery of your domain-part in the sender addresses of spam.
>>
>
> True, but the more domains implement it... the more it helps.

And it would help even better if more domains implemented the
checking on their inbound mail servers. I publish SPF -all for this
domain (and the ones I administer at work) and still get joe-job
bounces from AOL even though they publish SPF records for their
outgoing mail.

Thanks everyone for the comments on the subject.

Yes, I've noticed that SA would implement support to SPF in 2.7. I'm sure
it would strengthen its firepower against spam.

I was more worried about whether I should implement support for it in my DNS
and if so, how to handle all the cases when people with legit email at my
domain (pointer.co.il) hook up with their ISP from home (like I do right
now) and identify themselves with their work email.

In addition, when I sometimes travel, I use temporary mail servers to send
mail but still use the POP server at pointer.co.il and identify myself as
ilan@pointer.co.il. Without reading all the material about SPF, it seemed
to me that if I can't declare "-all" in the text record of the DNS, I defeat
the purpose of SPF.



--ilan





> =>A friend pointed me to:

> =>

> =>http://spf.pobox.com/

> =>http://spf.pobox.com/wizard.html

> =>

> =>Before I go and implement it in my DNS, I'd like to solicit opinions

> about =>it from the list. =>

> =>--ilan

On 08 March 2004 10:05 -0800 "Mark C. Langston" <mark@bitshift.org>
wrote:

[snip]

> In short, it destroys the ability to send email from anything other
> than the domain name of your ISP.

Well put, Mark - I agree 100%. Yet another technical solution for a
non-technical problem.

Mike.

At 12:16 PM 3/8/2004, Mike Zanker wrote:
>Well put, Mark - I agree 100%. Yet another technical solution for a
>non-technical problem.

So the ease with which a spammer can forge your domain name isn't a
technical problem?


Kelson Vibber
SpeedGate Communications <www.speed.net>

On Mon, Mar 08, 2004 at 01:39:38PM -0800, Kelson Vibber wrote:
> At 12:16 PM 3/8/2004, Mike Zanker wrote:
> >Well put, Mark - I agree 100%. Yet another technical solution for a
> >non-technical problem.
>
> So the ease with which a spammer can forge your domain name isn't a
> technical problem?
>


The breaking of several major uses of smtp is a technical problem.
One does not solve a technical problem by creating other technical
problems if at all avoidable.

Further, one does not invite attack on an equally (some would argue
more) insecure protocol if one can avoid it.

Lastly, one does not address all these issues by waving one's hands and
saying, "simply rearchitect your SMTP and DNS deployments."

I'm glad DNS attacks have fallen by the wayside. I've no great desire
to see them become popular again.

There's no need to push this out the door and implement today. When an
appropriate (read: does not break major aspects of existing email use)
solution is ready, the spammers will still be waiting.

--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

> >Well put, Mark - I agree 100%. Yet another technical solution for a
> >non-technical problem.
>
> So the ease with which a spammer can forge your domain name isn't a
> technical problem?
>
As I understand it.... No. It's a social misunderstanding, thinking that the
return address of any one piece of mail is authoritative. It was never meant
to be. It's like assuming that the return address on a piece of snail mail
is where the mail came from...... not so.... For that you look at the
postmark. Therefore you cannot (technically) forge a return address, on
snail mail or email. To forge would be to assume that the original data was
authoritative. So.... kludging the mail system to match social
misconceptions is a technical solution to a non-technical problem. QED.
However I can easily understand how others don't see it that way.

Frankly I doubt that SPF will really be of much use as SRS had to be
implemented on all of the net before SPF will stop generating false
positives. A major downside.

I feel kinda odd saying this but I actually like the MS 'Caller ID for
email' plan better. Ok the name sux and it's the great satan... but
technically it's SPF tweeked to work within the confines of email RFCs. The
MS plan deals with the auth by leaving a breadcrumb trail of headers. By
adding headers to track the path of the email, rather than munging the
envelop-sender the MS plan avoids alot of the problems that SPF makes.
Namely those of anyone who forwards or redirects email having to mung the
envelope-sender.

Nick

On Mon, 8 Mar 2004, Mark C. Langston wrote:

> I wouldn't go so far as to call it "wonderful". It breaks mailing
> lists;

No, decent list software sets the envelope-from address to point to
itself (check out the headers for this one). The receiving SPF should be
looking at the envelope-from not the header-From address.

> it breaks auto-forwarders (not just free email providers, but the
> standard *nix .forward and /etc/mail/aliases);

No, it does not break it, it just demands more sophistication on the
forwarder's part. See http://spf.pobox.com/srs.html for one way to
deal with this particular issue.

> it will cripple email
> from mobile devices such as cell phones and PDAs, except for those
> people willing to use the domain name provided by the cell provider, or
> for those rare few with a phone or PDA capable of SMTP AUTH;

OK, 15 years ago, almost -all- smtp servers were run in open-relay mode.
It was considered a free service that you providied for your less-well
connected bretheren. (also a holdover from the UUCP days. How many of
the readers of this list have -any- clue what that means? ;)
Also, nobody thought twice about using telnet and ftp to connect to
sites remotely (ssh & SSL were not even a dream).

Now even our network routers & switches provide SSH connectivity for
management.

Things change, time marches on, new problems/threats arize and people
adapt.

> it forces
> everyone to upgrade to using SMTP AUTH enterprise-wide if you expect to
> send an email from anywhere other than your desk (e.g., while
> travelling, at an airport, hotel, coffeehouse hotspot, etc.)

If you need to support devices that -cannot- do SMTP AUTH, there are
workarounds such as pop-before-smtp. (kluge, but workable, we use it
here).

> In short, it destroys the ability to send email from anything other than
> the domain name of your ISP.

Have you looked at the SPF "Objections Addressed" page?
http://spf.pobox.com/objections.html

I agree that SPF is not a be-all-end-all solution to this mess but its
the best looking answer so far.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

On Mon, Mar 08, 2004 at 04:31:38PM -0600, David B Funk wrote:
> On Mon, 8 Mar 2004, Mark C. Langston wrote:
>
> > I wouldn't go so far as to call it "wonderful". It breaks mailing
> > lists;
>
> No, decent list software sets the envelope-from address to point to
> itself (check out the headers for this one). The receiving SPF should be
> looking at the envelope-from not the header-From address.

Paraphrase: Everyone should just stop using majordomo.

>
> > it breaks auto-forwarders (not just free email providers, but the
> > standard *nix .forward and /etc/mail/aliases);
>
> No, it does not break it, it just demands more sophistication on the
> forwarder's part. See http://spf.pobox.com/srs.html for one way to
> deal with this particular issue.

Paraphrase: fundamentally change your MTA infrfastructure, and for now,
if you're not using sendmail, you're SOL. Even if you are using
sendmail, you're SOL, because the C lib isn't ready.


>
> > it will cripple email
> > from mobile devices such as cell phones and PDAs, except for those
> > people willing to use the domain name provided by the cell provider, or
> > for those rare few with a phone or PDA capable of SMTP AUTH;
>
> OK, 15 years ago, almost -all- smtp servers were run in open-relay mode.
> It was considered a free service that you providied for your less-well
> connected bretheren. (also a holdover from the UUCP days. How many of
> the readers of this list have -any- clue what that means? ;)

I do.

> Also, nobody thought twice about using telnet and ftp to connect to
> sites remotely (ssh & SSL were not even a dream).
>
> Now even our network routers & switches provide SSH connectivity for
> management.
>
> Things change, time marches on, new problems/threats arize and people
> adapt.
>

Yes. But in every instance you mentioned above, both versions of the
underlying service operated concurrently, with no interference one upon
the other.

This is not true with SPF. Deployed sites will react to nondeployed
sites in a derogatory manner. Deployed sites will force unwanted and
unwarranted behavior change on users of said site.

The analogy doesn't hold.

> > it forces
> > everyone to upgrade to using SMTP AUTH enterprise-wide if you expect to
> > send an email from anywhere other than your desk (e.g., while
> > travelling, at an airport, hotel, coffeehouse hotspot, etc.)
>
> If you need to support devices that -cannot- do SMTP AUTH, there are
> workarounds such as pop-before-smtp. (kluge, but workable, we use it
> here).

Cell phones. Show me a solution that works with cell phone mail clients
as they are TODAY (not as they may be rewritten 3 years from now), and I
might buy into that. I've yet to see one do SMTP AUTH; I've yet to see
one do POP-before-SMTP; I've yet to see a START-TLS implementation.

Or shall we all just upgrade our phones as well?

If you think email from mobile devices is a non-issue, and further
believe it will remain so, you're sadly mistaken.

>
> > In short, it destroys the ability to send email from anything other than
> > the domain name of your ISP.
>
> Have you looked at the SPF "Objections Addressed" page?
> http://spf.pobox.com/objections.html
>

Yes, I have. And the answers amount to, "tough. Change your
architecture." That's not an acceptable solution in a boardroom.
That's not an acceptable solution in environments where architectural
changes occur on the order of months, not days. That's not an
acceptable solution where changes to field deployments are major
logistical undertakings.

And it's not an acceptable solution for those who require a vetting by
an established standards body (i.e., the IETF) before giving such
changes serious consideration.



> I agree that SPF is not a be-all-end-all solution to this mess but its
> the best looking answer so far.
>

A D+ is better than an F. Neither is desireable.

--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

On Mon, Mar 08, 2004 at 05:06:39PM -0500, Nick Fisher wrote:

> Frankly I doubt that SPF will really be of much use as SRS had to be
> implemented on all of the net before SPF will stop generating false
> positives. A major downside.

Depends how you define a "positive". What you seem to be
thinking of is:

SPF Sent
record from listed Suspect
exists host spam
------- ----------- ---------
no -- yes
yes no yes
yes yes no

which is obviously not a great idea.
If on the other hand you do:

SPF Sent
record from listed Suspect
exists host spam
------- ----------- ---------
no -- no
yes no yes
yes yes no

you won't get any FPs just 'cause there's no record.
On the other hand you may eliminate some spam coming
from folks who forge the addresses of domains where
there _are_ SPF records.

--
Dan Wilder

> Let's not forget that SPF has yet to be vetted by the IETF.
> Implementation seems to be skipping the entire technical evaluation
> process.

"consensus and working code"

-faisal

On Mon, Mar 08, 2004 at 04:31:38PM -0600, David B Funk wrote:
>
> Have you looked at the SPF "Objections Addressed" page?
> http://spf.pobox.com/objections.html
>


I wanted to address this in a bit more detail, so here's a summation of
each addressed objection on that page:

1) Traveling Mailman problem.
Solution: SPF exceptions, SASL (infrastructure change).

Problems with solution: Limit to number and size of TXT records, rapid
burgeoning of number off TXT records individual/group must maintain,
leading to huge administrative headache. Also, the "change your
infrastructure to address problem we created" solution is not just a
non-starter, it's simply rude.

2) Cybercafe.
Solution: MSA (infrastructure change).

Problems with solution: Again, their response to "SPF creates a
problem" is, "solve the problem by changing your infrastructure."
Unacceptable. Furthermore, their justification for this solution is
that ISP's block port 25 outbound. What in Ghu's name makes anyone
think they won't simply start blocking 587 outbound as well?

3) Forwarding and Return-Path.
Solution: Use your ISPs domain for all outgoing email, or connect
through a single (or handful of) "blessed" MXes for whichever domain you
wish to use. The ability to, say, send email using a domain you own
from the dynamic IP granted you by your ISP (as I do) will disappear.

Problems with solution: Many ISPs do not respond to MX problems in a
timely manner. Many ISPs handle a load that unnecessarily increases
delivery times. Many ISPs do not deserve the de facto free advertising
granted them by using their domain name instead of one owned by the
end-user. Many end-users find themselves behind ISPs other than the
one controlling the domain they use for email on a regular basis
-- business travellers, vacationers, busy people with home computers, work
computers, and mobile devices, each with their own ISP and IPs, but each
capable of sending an email with a single domain as the RHS of an email
address. Many end-users take advantage of .forward files and
/etc/mail/aliases functionality to have email sent to other addresses
instead of or including the original destination. Here again, their
solution is "rearchitect your MTA". And here, again, that solution is
simply unacceptable, because it says, "we created a new problem. It's
up to you to fix it. We can't be bothered."

4) Conscientious Objectors (aka "People who don't publish SPF records")
Solution: Treat anyone without an SPF record as suspect.

Problems with solution: This is not a good way to ensure a smooth
transition to a new approach, particularly not one as disruptive as SPF.
Know what the end result will be? Many sites advertising SPF records,
and nobody acting on them.

They even have the nerve to say (and I quote directly from the page):
"Domains who do this are the same domains who run open relays."

I beg to differ, and I find the tone -- and the underlying implications
-- insulting.

5) Throwaway domains.
Solution: SPF doesn't have a solution to this.

Problems with solution: Spammers will simply flock to this gaping hole,
as well as begin dredging up old DNS spoofing and poisoning attacks.
(By the way, that last bit about reputation systems seems to have been
added since last I read that page. I find it interesting, since that's
the approach I favor (and have done some work on), and I've insisted all
along that it must be coupled with other approaches. What bothers me
tremendously about SPF, aside from what I mention above, is that they're
willing to deploy without this crucial dependency, whereas I'd never
advocate rolling out one without the other! Without both pieces in
place, rolling out either is suicide.)

--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

On Mon, Mar 08, 2004 at 02:49:22PM -0800, Dan Wilder wrote:
> If on the other hand you do:
>
> SPF Sent
> record from listed Suspect
> exists host spam
> ------- ----------- ---------
> no -- no


...which is not the recommendation of SPF. The default assumption is,
"no SPF record == bad, evil spammer."

--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

On Mon, Mar 08, 2004 at 03:01:56PM -0800, Faisal N Jawdat wrote:
> >Let's not forget that SPF has yet to be vetted by the IETF.
> >Implementation seems to be skipping the entire technical evaluation
> >process.
>
> "consensus and working code"
>


Well, I don't yet see consensus. I see code, but it doesn't yet play
well with others.


--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org

On Mon, 8 Mar 2004, Mark C. Langston wrote:

> On Mon, Mar 08, 2004 at 04:31:38PM -0600, David B Funk wrote:
> > On Mon, 8 Mar 2004, Mark C. Langston wrote:
> >
> > > I wouldn't go so far as to call it "wonderful". It breaks mailing
> > > lists;
> >
> > No, decent list software sets the envelope-from address to point to
> > itself (check out the headers for this one). The receiving SPF should be
> > looking at the envelope-from not the header-From address.
>
> Paraphrase: Everyone should just stop using majordomo.

Read RFC-2821, section 3.10. It says:
"When a message is
delivered or forwarded to each address of an expanded list form, the
return address in the envelope ("MAIL FROM:") MUST be changed to be
the address of a person or other entity who administers the list.

Note the "MUST".
If majordomo does not do this then it is broken and should either
be dropped or fixed (as I have no personal experience with
majordomo I'm basing this upon your insinuation).

Thus the only addtional condition that SPF requires is that the
list maintainer address coincide with the list sending system.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

> SPF Sent
> record from listed Suspect
> exists host spam
> ------- ----------- ---------
> no -- no
> yes no yes
> yes yes no
>
> you won't get any FPs just 'cause there's no record.
> On the other hand you may eliminate some spam coming
> from folks who forge the addresses of domains where
> there _are_ SPF records.
>
This overlooks the root of the problem....

Domain A: SPF + SRS
Domain B: No SPF or SRS
Domain C: SPF + SRS

Now if I'm in domain A and I send mail to someone in domain B and that
forwards to someone in domain C.... The mail will appear to be spam. It will
come from a domain with SPF but SRS will not have been followed all the way
through the message's path. So when it hits domain C and the SPF is
checked.....

Untill all the worlds SMTP servers know and use SRS, SPF will generate false
positives. There is no way (that I can see) around that. I put this to the
guy who proposed SPF and he agreed with me.

Nick

But if your using SpamAssassin or some other scoring based spam software
what difference does it make since it's merely just another test like
the RBLs.

-----Original Message-----
From: Mark C. Langston [mailto:mark@bitshift.org]
Sent: Monday, March 08, 2004 6:04 PM
To: spamassassin-users@incubator.apache.org
Subject: Re: Opinions About SPF

On Mon, Mar 08, 2004 at 02:49:22PM -0800, Dan Wilder wrote:
> If on the other hand you do:
>
> SPF Sent
> record from listed Suspect
> exists host spam
> ------- ----------- ---------
> no -- no


...which is not the recommendation of SPF. The default assumption is,
"no SPF record == bad, evil spammer."

--
Mark C. Langston Sr. Unix SysAdmin
mark@bitshift.org mark@seti.org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org