Re: [Asrg] What are the IPs that sends mail for a domain?

[Bill Cole <asrg3@billmail.scconsult.com>]

Ian Eiloart wrote, On 6/22/09 10:16 AM:
>
>
> --On 22 June 2009 07:19:04 -0500 Gordon Peterson <gep2@terabites.com>
> wrote:
[...]
>> In my personal mailboxes I have (way) more than 50,000 archived
>> bounceback messages to e-mails which I have never sent... just because
>> they have a (forged, and generally invalid) From: address that is
>> supposedly in one of my domains.
>>
>> Since I haven't sent these messages (neither intentionally, nor by
>> irresponsible management of my systems here) there is NOTHING I can do to
>> prevent such messages.
>
> There is, actually. If you publish SPF records with a strong -all, then
> recipients can easily decide to reject (not bounce) messages. Add DKIM
> signatures, and they'll be able to tell when someone has forwarded your
> legitimate email.

Do you have any evidence that this actually works to any detectable degree?

I have solid proof that it is far from perfect, but I only have a handful of 
addresses that ever had significant bogus bounce flow in the one domain I 
could safely use in a SPF '-all' effectiveness test. The first 5 years of 
that test have shown a slow drop in the rate of bad bounces in general 
offered to that domain, but it isn't much more proportionally than the drop 
from a dribble to a trickle that I've seen for a domain with no SPF record. 
The noise in my minuscule and weakly controlled data makes it quantitatively 
worthless, but on a qualitative basis it makes clear that strong SPF records 
are not yet a strong universal tool for preventing blowback bounces.

If you are aware of SPF being any more useful than prayer at controlling 
blowback, please share it.