-----BEGIN PGP SIGNED MESSAGE-----
David Woodhouse wrote:
On Wed, 2005-07-06 at 11:56 -0400, Terry Fielder wrote:
Nor does the admin at [the receiving site] need to know. The
[forwarding site], and needs to ensure the forwarder forwards without forgery
I see no RFC definition of this 'forgery' of which you speak, and of
which Alex raves so hotly. It's purely an invention, to work around the
brokenness of SPF.
What if I were suddenly to claim that my name may not be used in the
From: header of mail coming from anywhere but my own servers, and I
cried that the mailing list's use of my name was 'forgery'?
Surely you would all just laugh at me? Why then do you expect your own
cries of 'forgery' to be taken seriously by all forwarding hosts in the
This 'forgery' of which you speak is normal behaviour and has been for
years. By expecting it to change you are tilting at windmills. Using
emotive words to describe standard behaviour doesn't change that fact.
One last try:
If I get an e-mail from example.org fraudulently claiming to originate
from example.com that is forgery. That is what SPF is specifically
created to prevent.
If I get an e-mail from example.net that is a legitimate forward from
example.com that claims to be directly from example.com I cannot tell
the difference between the legitimate message and the above forgery.
Dilemma: do I accept the forgery, or reject the legitimate message?
Further consideration: I have to decide this as quickly and cheaply
as possible, and stay within RFC compliance as well.
Simply put, the reason that SPF breaks the forwarding you love so
much is because it is indistinguishable from the forgery that SPF
specifically exists to prevent.
This is not a breakage of SPF, it is a natural consequence of the
situation, and ANY general solution to the problem of e-mail source
forgery is going to require changes on the part of forwarders. It is
simply unavoidable as long as forwarding is done using a technique
that is indistinguishable from forgery.
Daniel Taylor VP Operations Vocal Laboratories, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----