17 Sept 2008
Implementation of Sender Policy Framework policies within a RidgeStar mail domain is based upon a fundamental concept. That is, all email originating from the domain and, in fact, the related website will be associated with that domain.
This is a fundamental concept of SPF, that email coming from a domain can be validated by that domain as originating from a Mail Server that is authorized to initiate it. Consider the following figure:
- The entry point for Email from RidgeStar domains is via the RidgeStar Mail Server (mail.ridgestar.com). The mail server looks up where to send the Email and sends it to the Receiving Mail Server. The Receiving Mail Server may choose to enforce SPF Principles or not. If not, the Email is sent to the User. If the Receiving Mail Server supports SPF Principles, SPF=Fail responses are sent to the Trash and other SPF actions are sent to the User.
- If the Receiving Mail Server is configured to respect SPF Principles, it contacts the Domain Name Service for the source domain address and requests the SPF Definitions (which defines which portions of the Internet can legitimately initiate Email from the specified Domain). RidgeStar Domain Name service will respond with Fail (sending Mail Server is NOT approved), Neutral (no recommendation), SoftFail (sending Mail Server is NOT approved, do not delete the message, mark it and deliver it), or Pass (sending Mail Server is approved).
- An email message originating from a non-RidgeStar authorized mail server will not map properly when the Receiving Mail Server asks the Domain Name Service for the SPF entries. Thus, hijacked or email initiated as a result of Sender Address Forgery is thwarted.
SPF is not supported by all Receiving Mail Servers throughout the Internet, but it's adoption is growing (see SPF-All.com for recent statistical evaluation of active domains throughout the Internet and RidgeStar's own Email Statistics for recent RidgeStar Mail Service percentages). As a "Receiving Mail Server", mail.ridgestar.com does support SPF=Fail and will immediately delete the incoming mail. Email from domains with SPF=SoftFail will have the subject of the message prepended with the character sequence of [SoftFail].
As a default, mail.ridgestar.com email domains are in SPF=SoftFail status until the SiteManager has confirmed that is is appropriate to change to SPF=Fail. RidgeStar DOES recommend that all clients do their best to migrate to SPF=Fail, as soon as possible.
Interactive Operation Sites and Bulk Email
Many of the RidgeStar sites support a generalized communication vehicle commonly known as "Bulk Email" that permits an authorized User to initiate multiple copies of an email message to multiple recipients (in concept, individual participants in the site's operations). Historically, this email is set to identify it as originating from the domain of the Email address the User requests (prefers...). With the increasing implementation of SPF principles across an expanding range of Receiving Mail Servers, this use of Bulk Email to generate messages that appear to come from a different domain will be unable to continue without adjustment. There are two basic approaches that can be implemented:
- All Email originates from the Site Domain
- All Bulk Email usage on a RidgeStar site will generally have to originate from an Email address that properly resolves to a RidgeStar based Mail Domain. Thus (by way of example), Bulk Email sent from the www.RidgeStar.com site will have to be from an email address ending in RidgeStar.com (e.g. Joe@RidgeStar.com) and may NOT end in a domain address that is different (e.g. Joe@GMail.com).
The impact of this choice can be softened by defining a set of Forwarders for the domain that properly reroute to the proper individual Email address. Thus, all Bulk Email generated by our fictitious Joe@RidgeStar.com could be rerouted to Joe@GMail.com if a recipient replies to Joe@RidgeStar.com.
- All Email originates from a single Email address
- All Bulk Email usage on a RidgeStar site would be initiated from a single, SPF legitimate Email address (for example, Webmaster@RidgeStar.com. Bulk Email would then pass SPF Tests. To facilitate return mail getting to the proper Email location, the actual User's Email address (our example was Joe@GMail.com) would be set as the ReplyTo address.
Thus, all Bulk Email generated by our fictitious Joe@GMail.com would actually be sent from "Joe Smith on RidgeStar.com" at Webmaster@RidgeStar.com with a ReplyTo address of "Joe Smith" at Joe@Gmail.com.