[ILUG] SPF and backup MX servers

[Kenn Humborg]

With all the hoopla recently about SPF (sender permitted from)
records, there is one thing that I still have doubts about:
backup MX servers.

Let's take an example:

   o  sender.com advertises SPF hosts as mail.sender.com

   o  user1 at sender.com sends an email to user2 at receiver.com

   o  MX records for receiver.com are:
         10 mail.receiver.com
         20 mail.backupmx1.com
         30 mail.backupmx2.com

   o  mail.receiver.com and mail.backupmx1.com are down, so
      mail.sender.com SMTPs the message to mail.backupmx2.com.

   o  Immediately after MAIL FROM:<user1 at sender.com>, 
      mail.backupmx2.com does an SPF lookup and sees that all
      is OK and accepts the message.

   o  Later, mail.backupmx1.com comes up but mail.receiver.com
      is still down, so mail.backupmx2.com SMTPs to 
      mail.backupmx1.com.

   o  mail.backupmx1.com does an SPF lookup and finds that
      mail.backupmx2.com is not a permitted sender - message is
      accepted and marked as possible spam (best case) or
      bounced (worse case) or silently blackholed (worst case).

   o  Later mail.receiver.com comes back up, so mail.backupmx1.com
      SMTPs to mail.receiver.com.

   o  mail.receiver.com does an SPF lookup and finds that 
      mail.backupmx1.com is not a permitted sender.  However,
      it sees that it is one of its own backup MX servers, so
      accepts the message (I hope).

Note that "I hope" there.  It is not at all clear from the stuff
I've read that an SPF "client" should be configured to trust its
backup MX servers.  Of course, if you've got a backup MX that
doesn't do SPF checks, then that's a spam route into your 
network.

But the biggest problem occurs when a message is passed between
intermediate backup MX servers as above.  At the time of MAIL FROM:
in the SMTP conversation, there is no recipient address available,
so there is no way for the backup MX servers to know of each
other's existence.  There is no way for backupmx1 to know that
backupmx2 is a lower-priority MX for receiver.com.  Perhaps if it 
knew this (by postponing SPF checks until all RCPT TO:s are received)
it could then decide to accept the message as non-SPAM, since it
could trust backupmx2 (for receiver.com recipients only).

But what happens when there are multiple recipients.  backupmx1
ends up having to either:

   o  Assume message is non-SPAM for all recipients since one
      recipient is good

   o  Consider it as non-SPAM for user2 at receiver.com, but SPAM
      for any recipients that do not list backupmx2 as an MX.

Or do we just give up on the whole idea of backup MX servers?
Are we better off without them in todays well-connected Internet?

Later,
Kenn