ietf-mxcomp
[Top] [All Lists]

Re: towards a compromise

2004-04-22 19:33:12

On 4/22/04 8:51 PM, "Greg Connor" <gconnor(_at_)nekodojo(_dot_)org> wrote:



So, the basic concept of "MTA X is authorized to use domain Y" could be
extended to cover all three of these cases.

Usually the HELO name is different from the domain in the MAIL FROM, and
usually the MAIL FROM is the same as From:/Sender:/misc 2822.  So the HELO
case is pretty easy, it is a different domain so it can have a different
allow list (usually "MTA mail1.example.com is allowed to use HELO name
mail1.example.com").  If the same name is used in HELO and in MAIL FROM (or
From:) then it's probably a message generated by your mail server and then
it becomes pretty clear which MTA is authorized to send the mail. :)  But
if other MTAs might also handle the DSN or other server-generated message
on the way out, just add them to the list like you would for any other RHS
domain argument.

The MAIL FROM is frequently not the same as the 2822 from for mail sent via
email service providers or mail generated by applications. In those cases
the 2821 MAIL FROM may be the application or service provider, which
programmatically handles bounces and other errors, while the 2822 from is
the person responsible for the content. This is not always the case; there
is a wide variety of approaches to setting the 2821 from, but it's frequent
enough that the word "usually" gives me pause.

Moving on to MAIL FROM vs. From:/Sender:  IF the basic thing we're saying
is "MTA X is authorized to use domain Y", and the receiver may check either
MAIL FROM or From:/Sender: then this is where (you claim) there might be
different meanings to using the data in a 2821 or 2822 context.  So my
questions in response to that are:

1. Are there really any situations where you want to use the *same* domain
name in both contexts AND you want to supply *different* data to the
2821.MAIL FROM checker than to the 2822.From:/Sender: checker?  Or cases
where you want either of 2821/2822 checking but not both, for the same
domain name?
...... 
3. If you can't come up with a complete list of all MTAs that *might* use
your same domain name, suitable for checking either MAIL FROM or
From:/Sender:, would you be content with a workaround of using different
domains in each context?  (For example, if the From: is 
something(_at_)jlc(_dot_)net
and the MAIL FROM is bounces.jlc.net, different sets of MTAs are possible)
Domains are brands. You can create arbitrary sub-domains for purely
technical purposes, but creating them in a way that is visible to users runs
into all kinds of brand control issues. So I think here the answer is yes,
you can create a sub-domain for the 2821 from or the HELO. (Yes, an end user
can look at the 2821 if they know how, but most won't and it will not be an
issue).
 
What I am trying to steer away from is the need to state "Here is my 2821
info" and "Here is my 2822 info" (or even "Here is my HELO info" and "Here
is my MAIL FROM info") when 99% of the time they will be the same list.

Which is why I'm asking for more info.  Does "different domains will want
to signal different policies" also mean "The SAME domain will want to
signal two different policies"?
At some level the answer is yes, in that organizations that provide email
services today may use the same domain name for both corporate mail (2822)
and as part of the service (2821), and have different rules for each use of
the domain. Constantcontact.com does this to some degree, but I can't think
of a compelling reason to preserve this option. I have to think it only
affects people providing various kinds of email services, and a subset of
them at that, and this is a group that is not all that big and plenty able
to make this kind of minor change.

I am not sure if the issue really is "They might not be the same list" or
if it really comes down to "I want to be able to keep the receiver from
checking one or the other".
I concur with Phill's assessment that the receiver is going to do what the
receiver is going to do. However, it is useful to tell the receiver what the
intended use of the domain is. It gives the receiver a strong hint about
what to check, and in and of itself communicates useful information.

(Again, my guess is that 99% of people publishing their info want to 1.
protect their domain name in ANY context, and 2. use the same policy for
all checks.  So my hope is that we can make things easiest for the 99% case
and a bit harder for the 1% case, rather than complicated all the time.)

A large percentage commercial organizations, and here I'm including all the
pseudo-commercial organizations - non-profits and other associations - use
at least one sending service outside of their direct control. And perhaps
not intuitively, the smaller and less technically savvy they are the more
likely they are to have multiple, unrelated services each providing some
relatively narrow function. Imagine a small business with a shopping cart
with order confirmations from vendor a, email marketing from vendor b, and
corporate person to person mail from the local ISP.

I don't have a good feel for how widespread all the rich variations possible
on the use in 2821 and 2822 of the four domains in this scenario is, but
while it's probably correct to assume that most person to person *email* has
the same 2821 and 2822, it is pretty risky to assume that most *domains*
send only mail with the same value for 2821 and 2822.
 
All that being said, it should be possible to express "mail with a 2822 from
of my domain comes only from my servers".


Margaret.