On 03/30/11 18:13, David Camm wrote:
> we keep a reasonably tight ship, and the spf record for my domain only
> has 'a mx -all'
>
> every once in a while i get a delivery failure message which refers to
> recipients at hotmail.com.
>
> the from is always "some name" HIDDEN@advwebsys.com>
>
> the reporting mta is obviously not our surgemail server, but the message
> comes to me.
>
> i'm concerned about how many messages actually get delivered.
>
> what i don't understand is that given our spf record, how this could
> happen.
>
> how could someone using ironport.iske.sk as their mta send using my
> email address? and, how could hotmail accept that??????
>
> any enlightenment would be greatly appreciated.
>
> david camm
> advanced web systems
> keller, tx
>
>
>

I was watching the stats from our Barracuda(we have one in front of 
Surgemail for various reasons that only apply to us) and we found that 
it was not worth the cpu cycles to check spf records in our Barracuda.

Not enough other shops used it or had it setup correctly.

We found a university that gave it's alumni email address's forever. 
And then they instituted strict SPF records.  And we had people yelling 
at us that OUR policy was broken, when we were just following the policy 
as published by the university via their SPF records.

In the end, we were not blocking enough email to justify the cpu cycles 
to check SPF records(less than one email a week).  So why should someone 
one as big as Hotmail/Microsoft put forth that effort when not wasting 
cpu cycles on SPF checks will allow them to have fewer servers in their 
server farm and lower their Internet traffic?  While at the same time, 
doing SPF checks blocks an insignificant percentage of their incoming 
traffic?

Lyle Giese
LCR Computer Services, Inc.