On Tue, 5 Jul 2005, Dick St.Peters wrote:
Stuart, if you're ever going to be taken seriously, you're going to
have to learn to understand what other people mean when talking about
forwarding. It still has nothing to do with relaying within a
receiver's mail system. (And, BTW, while SRS is a more-or-less
adequate solution to the real forwarding problem, it would be a dismal
way to deal with internal relaying.)
The recipient is the RCPT TO address. The person controlling the RCPT TO
address is the only one who can set up any forwarding - including the
kind people are complaining about.
I understand the main complaint that if the target of a "forward"
is unaware that they are such a target and start rejecting SPF fail,
then the forward will break. I claim that such a recipient is broken,
because SPF records only apply until the message is accepted by
the recipient. Are people seriously claiming that SPF records
still apply *after* the message is accepted by the recipient?
Such targets *should* be aware of who is "forwarding" to them. It is as
important to securing receiving email as getting control (via SMTP AUTH and
such) of laptops sending with your domain from hotel rooms on the sending side.
A recipient that cannot control their proxy recipients (forwarders),
should not reject on fail - just as a sender that cannot control their roaming
senders should not publish "-all". However, the fact that some recipients
may not be able to (correctly) reject on fail is no reason for senders
not to publish "-all" when their sending domains are secured.
Getting control is possible, even for a large ISP. It is a matter
of telling users they must list all emails that forward (in the commonly
meant sense) to their account unless the forwarder uses SRS.
I understand that getting control of recipients is more difficult and complex
for a large ISP, as are a lot of things. But that doesn't stop
smaller domains from fully checking SPF - in most cases without much
effort at all.
And again, if getting control is too expensive at the moment, then
don't reject on fail and nothing breaks.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.