SPF + ISP Smarthost, always untrusted?

Question

One of the ways mail-servers protect themselves from spam is by SPF-records, a DNS look-up saying what ip-adresses are allowed to send mail from a given domain name.

Another way the mail-servers use is blacklisting, some of those blacklist have list of IP-ranges for end-users, to force the ISP's user to use the ISP's "smarthost"

Both techniques may do some good work, but together they are terrible.

If you put up a email-server at home, for your family-domain-name, and have a SPF record saying that only your home IP is allowed to send emails for that domain name, that works really well spam-protection until your ISP puts your IP-range on the blacklists.

At this point I see 3 possible scenarios:

You send your mail direct to the mx record, and get denied due to blacklisted IP.
You send your mail to the ISP's smarthost, and get denied at the endhost because the smarthost isn't listed in SPF.
You update your SPF to include the smarthost, and everyone that can use that smarthost can now send email from your domain, and pass the SPF check.

Is there a working way to combine these techniques, or are end-user email-server always going to be untrusted?

A follow-up from what @MichaelHampton just said: The reason for not running a SMTP server from your home is because RBL's auto-block all known network blocks containing dynamic IP's to prevent spam relays. You can set up a domain at home, but please use a smart host and relay it all to your ISP or similar. — pauska, Oct 14 '13 at 22:50

score 1 · Accepted Answer · answered Oct 14 '13 at 22:54

If you're really concerned about the shortcomings of option 3, get a VPS somewhere and use that to front your server (ie, accept incoming mail and relay it to your home box, and use it as the smart host for your home box).

Low-end VPS'es can be had for $5/month or less, and will resolve all the concerns you've raised.

SPF + ISP Smarthost, always untrusted?

1 Answers1