Slashdot Mirror


Microsoft to Deploy SPF for Hotmail Users

wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."

8 of 562 comments (clear)

  1. Making sure I see my role in this... by E1ven · · Score: 5, Interesting

    Ok.. Let me make sure I understand this correctly..

    I maintain a few domains, such as a Sq7.org, from which I send e-mail.. I send it from home, from my girlfriends house, from wherever I happen to be.. But I send it by connecting through the sq7.org server, and forwarding mail through there.

    The way I understand SPF, I just need to publish that the IP sq7.org runs on is authorized to send Sq7.org's mail, and NOT the IP for my home, office, etc, since I don't send directly from the local computer.

    If I did send directly from the local computer, without going through the external server, I'd need to add my local IP to the SQ7.org DNS records.

    As it is, though, I'll need to avoid using my ISP's SMTP servers if mine go down, or add them to the domain.

    Am I understanding this right?

    -Colin

    --
    Colin Davis
    1. Re:Making sure I see my role in this... by mshultz · · Score: 5, Interesting

      Yeah, I was wondering about this too--- particularly how this is going to work with things like universities. Where I just graduated from, you're only allowed to use their SMTP server if you are either on campus, use the VPN, or are using authentication over SSL from wherever. For everyone off campus, you are expected to use your ISP's SMTP server.... and often, you'd have to anyway, with ISP's blocking outgoing port 25 these days. So how then would a university, for example, implement SPF with people using whatever.edu 'From' addresses, but going through thousands of different ISP-owned SMTP servers?

      Surely there's a better solution than to have people change their 'From' address based on who's providing their internet connection at that moment (a real challenge for wireless hotspot users.....), and just keep the Reply-To header constant.

      Maybe I understand this wrong-- just wondering how it's all going to work.

  2. Easy? by Compholio · · Score: 4, Interesting

    Publishing SPF records is easy, as is checking SPF records."

    Only if you can edit your own DNS records, most management tools only allow modification of A, MX, and CNAME records. For this to really take off the tools need to add support for TXT records.

  3. MSN Broke My Email by stoolpigeon · · Score: 4, Interesting

    They are making all kinds of changes lately-- and they are not bothering to send anything to their users. I've been an MSN customer since just after they started up the service. Last week Outlook couldn't pull my email from their pop3 server any more. I sent in a help ticket. The reply I got said it was a problem they were fixing- and gave me instructions to set up Outlook Express to pull web mail from an http server.

    I responded that I don't use Outlook Express, I use Outlook 2000 and it will only pull Email from pop or imap servers. Their response, upgrade to Outlook 2002 (or above) or just use the hotmail interface. Of course using hotmail means no more hot syncing to my palm and I have to start manually sifting through spam again (my filter I use is an Outlook plug in)

    I had been thinking about changing my ISP but now I don't even have a choice.

    What ticks me off most is there was no advance notice of these changes- and it took multiple emails to MSN support to find out what was really going on.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
  4. I guess it's time to do some research by Paul+Carver · · Score: 3, Interesting

    I have a couple of domains registered and pointed at a cheap shared host. I generally send mail using either Mutt over ssh or Mozilla via several different SMTP servers (cablem modem ISP, web host ISP, work SMTP server) and I routinely edit my from address to use whatever userid and whichever of my domains is relevant.

    I guess this change means that hotmail users won't be able to receive mail from me unless I read up on SPF and figure out how to get the appropriate configurations into my bargain basement DNS and hosting configs. I hope this doesn't require any administrative privliges since I don't run my own DNS or mail servers for my domains. You can't do that sort of thing for less than $20/month.

  5. Re:SPF version? by frankie · · Score: 3, Interesting
  6. Re:Hey, Microsoft willingly employs HTTP as well! by gordyf · · Score: 4, Interesting

    They've fiddled with HTTP also. ISTR some tricks IE did with IIS to keep persistent connections so that page loads would be quicker.

  7. Re:PGP/GPG? by blowdart · · Score: 3, Interesting

    I think that using PGP would be a better system, but I don't think it will ever actually happen...too difficult to implement.

    Except PGP would mean you have to accept the complete message, then check the signature (and cache a signature for every from address).

    SPF does it a lot sooner, from the FROM command, so you're not wasting that much bandwidth. Also there's less caching as it's one record *per domain*