North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Email peering

  • From: Alexei Roudnev
  • Date: Sun Jun 19 15:21:18 2005

My e-mail is [email protected], but I send it when I am on DSL with EthLink
(and thru Earthlink SMTP). And it is 100% valid situation.

----- Original Message ----- 
From: "John Levine" <[email protected]>
To: <[email protected]>
Cc: <[email protected]>
Sent: Saturday, June 18, 2005 12:25 AM
Subject: Re: Email peering

> >In between the choice of accepting mail from *anybody* by default
> >which we have now and the choice of accepting mail from *nobody* by
> >default that explicit peering agreements represents there is another
> >solution; which is to accept mail only from IPs that have *some
> >relation* to the sender's From domain, for example by MX record or by
> >reverse DNS (we implemented that test and call it MX+).
> This has the same problem as all of the other duct tape authorization
> schemes -- it breaks a lot of valid e-mail, so that you have to
> maintain a painfully large manual exception table, or write off a lot
> of mail that your users will not forgive you for losing, or more
> likely, both.
> In this particular case, the biggest issue is forwarders, commercial
> ones like, associations like the ACM and IEEE (I get some
> odd mail being uucp at, and large numbers of colleges
> and universities which let graduates keep their email address.  In all
> of those cases, the users send mail from their own ISPs, whatever they
> are, inbound mail is forwarded back to the ISP accounts, and there is
> no way to enumerate the valid sources of mail.
> There's also plenty of domains where the inbound and outbound mail
> servers are different, and neither one matches the domain name of the
> mail.  For example, I host about 300 small mail domains on a pop
> toaster here.  The MX is, and the outbound host that
> many but not all of them use is  (Mail for
> itself is on another host.)  The IPs all happen to be in the same /24,
> but guessing whether two IPs are "close enough" is a poor way to
> authenticate or authorize anything.
> Before you point out that they could change the way those systems work
> to be compatible with your scheme, well, duh, sure.  But if you're
> going to make people change their existing working mail setups,
> there's little point in going through the vast cost of a widespread
> change for such a marginal benefit.  Read archives of SPF mailing
> lists for endless flamage on this topic, since SPF has the same
> problem.
> Regards,
> John Levine, [email protected], Primary Perpetrator of "The Internet for
> Information Superhighwayman wanna-be,, Mayor
> "A book is a sneeze." - E.B. White, on the writing of Charlotte's Web