On 14602 March 1977, Philip Hands wrote: > I guess we could help the mail servers of the recipients of the initial > messages make that decision if we did SPF for debian.org, but I guess > that the lack of SPF probably indicates that this is very hard to do > with our distributed setup.
With the current setup that allows every DD to use their @debian.org from any random server they have access to, it is impossible. Debian (DSA) would need to offer an outgoing SMTP relay and we would need to force everyone to use that for any mail with an @debian.org address, and then you can enter them in the SPF record. Thats a lot of ongoing maintenance work added for an unclear benefit: SPF is a mixed thing. Some mail operators even take the existance of an SPF header to score mail HIGHER, not lower. And it doesn't really stop mail appearing from other hosts. That would be the next step, DMARC, which is SPF plus DKIM plus some extra DNS records. And DMARC then allow to tell other mail servers (that follow DMARC) to get rid (spamfilter) mail that aren't from what your DNS says it should be from (or aren't signed correctly/at all). But its even more maintenance and burden for a group like Debian. -- bye, Joerg
