Upcoming changes to help combat SPAM and forgeries
By Peter M. Abraham
June 2005
What is the goal behind SPF (Sender Policy Framework)?
From
http://spf.pobox.com/howworks.html
Have you ever gotten spam from yourself? I have,
and I've been thinking hard about how to stop it! I didn't send it. It came
from a spammer.
SPF makes it easy for a domain, whether it's an ISP, a
business, a school or a vanity domain, to say, "I only send mail from these
machines. If any other machine claims that I'm sending mail from there,
they're lying."
And that's it! SPF aims to prevent spammers from
ruining other people's reputations. If they want to send spam, they should
at least do it under their own name.
And as a user, SPF can help you sort the good from the
bad.
Implementing SPF is a team effort
Implementing SPF so that liars’ spoofing (forging)
email addresses is a team effort.
We, the email provider, have to do our part by setting
our DNS (post office like) servers and email servers to work with the
various SPF settings (this we have already done).
You, our customers, have to do your part by determining
which SPF settings you want to use for your domain name (we can help you);
and if you are a Parallels H-Sphere hosting customer of ours, you can do this by point
and click in your control panel at
https://cp.dynamicnet.net:8443/
You, our customers, have to spread the word to your
partners, vendors, customers, business relationships, friends, mailing list
providers, etc. (aka anyone who sends email to domains we host for you) so
that those parties publish their SPF records.
Then after you and your various relationship parties
have published their SPF records for us to flick the switch which tells our
email servers no forgeries are allowed, ever.
We will do our best to help you with your settings, and
also providing you with a form letter you can send to your relationship
parties (your customers, your partners, etc.) to encourage them to set up
their SPF records so they can continue sending you email after the “no
forgeries allowed, ever” switch has been turned on.
Change for sending email through our servers
One of the changes we are implementing which
compliments SPF in preventing forgeries as well as unauthorized use of
sending email pretending to be you is authenticating email users.
We currently allow you to set up your email programs –
Microsoft Outlook, Outlook Express, Netscape, Eudora, Thunderbird, etc. – to
be able to send email through our mail servers if anyone in your company
checked a valid mail box (POP3 / IMAP) account on our server from your
domain.
We are switching to a procedure / process called SMTP
authentication where you (and any of your staff) will need to update your
email programs – Microsoft Outlook, Outlook Express, Netscape, Eudora,
Thunderbird, etc. – to include your email address and password in order to
send email.
We have prepared various “How To” documents to help you
update your email programs with the right setting.
Eudora users, please visit
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/eudora.html#auth
Microsoft Outlook Express users, please visit
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/outlook.html#auth
Netscape users, please visit
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/netscape.html#auth
Important Calendar of Events
|
Day and 2005 Date |
Event |
Notes |
|
Monday, July 11 |
We turn on SMTP Authentication Only |
Failure to update your email programs to use SMTP
Authentication will mean you cannot send email through our mail servers.
|
|
Monday, July 11 |
You start publishing your SPF records for domains
on our servers which send email |
We can do this for you; Parallels H-Sphere customers can do
it in E-Mail Manager in their control panel
|
|
Monday July 11 |
You start contacting all of your customers,
partners, vendors, and relationship parties so they can start the
process of publishing their SPF records if they have not done so
already.
|
|
|
Monday, August 15 |
We get a pulse of where SPF stands.
Look for further communication from us on SPF
before the end of August. |
Industry speaking, SPF was to be “required” by all
parties last October 2004.
Since SPF requires everyone to basically have an
“ID” card, if too many parties don’t have an ID, then implementation
gets delayed.
|
Form Letter to
customers, partners, vendors, etc.
July 11, 2005
Dear ___________:
You may have read of the increasing cases of email
forgery (also known as “spoofing”) where senders of SPAM use a form of
identity theft by claiming to be some one they are not. You may have even
received such SPAM claiming that you were the very sender of the spam.
Dynamic Net, Inc., our email provider will be using an
Internet standard called Sender Policy Framework (or “SPF” for short) to
prevent email forgeries through their mail servers.
SPF, to prevent identity theft, requires everyone
sending email to identify what machines are used to send the email.
If you use a national provider like AOL (America
Online), then most likely the national provider has taken the steps to
identify themselves via an SPF “record.” If you are a fellow customer of
Dynamic Net, Inc. –
http://www.dynamicnet.net/ -- your bases are covered as well.
However, if you are hosting your own email or work with
a local provider, you will most likely have to publish your own SPF record.
Please visit
http://spf.pobox.com/ to learn more about SPF. This Web site also has
an SPF wizard to help you determine your SPF record for your mail service
domain name; but you should leave that in the hands of your email service
provider.
Sincerely yours,
Reference Material
How to set up SPF in Parallels H-Sphere E-Mail Manager
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/spf.html
How to configure your E-Mail clients / programs to work
with SMTP Authentication
Eudora users, please visit
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/eudora.html#auth
Microsoft Outlook Express
users, please visit
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/outlook.html#auth
Netscape users, please visit
http://dynamicnet.net/customer/Parallels H-Sphere/user/html/netscape.html#auth
SPF and SRS resources
SPF -
http://spf.pobox.com/
SRS (Sender Rewriting Scheme) -
http://spf.pobox.com/srs.html
SPF Mechanisms -
http://spf.pobox.com/mechanisms.html
How-to: Understand SPF Configuration -
http://kbase.vircom.com/Kbase32/default.asp?SID=&Lang=1&id=943 |
