ietf-mxcomp
[Top] [All Lists]

Re: MARID compatibility with SPF records

2004-07-17 14:18:53


On Jul 17, 2004, at 12:45 PM, Mark Lentczner wrote:

But the real question in my mind is, while I understand the semantic difference from a purely technical point of view, I'm not sure that I can find a practical difference. Specifically, I'm not sure I can find a case where:

There is a domain that identifies at least one host that it permits to be used as the PRA
        but not as envelope MAIL FROM.
or
There is a domain that identifies at least one host that it does not permit to be used as
        PRA, but does permit as envelope MAIL FROM.

For simple mail, the envelope MAIL FROM and PRA are the same. So any case must involve more complicated mail set ups: forwarding, lists, or bulk mail.

On Jul 17, 2004, at 6:57 AM, Margaret Olson wrote:
Problems occur with domains where the MAIL-FROM matches the PRD in one system (for example the mail sent by an ISP), and that domain has published an SPF v1 record, and that domain is used as the PRD (2822 from) in another system with it's own error handler. In other words, in domains that have an ISP for personal mail and at least one outsourced service that sends specialized mail (for example a shopping cart or a email service provider for marketing messages).
Margaret gives two examples, the first of which she declares to be "not a problem", since it is solved by businesses having their own domain name. I'm going to restate the second example to be sure I understand it, and to see if it fits the test above:

mybikeshop.com normally sends it's mail via its ISP's servers at bigisp.com, however, it sometimes sends bulk mailing to its customers via bulkmailer.com. Hence, we see normal messages as:

        SMTP client:        mx.bigisp.com
        envelope MAIL FROM: amy(_at_)mybikeshop(_dot_)com
        header PRA:         amy(_at_)mybikeshop(_dot_)com

and we see bulk messages:

        SMTP client:        mx.bulkmailer.com
        envelope MAIL FROM: 
bounce+mybikeshop(_dot_)com(_at_)bulkmailer(_dot_)com
        header PRA:         amy(_at_)mybikeshop(_dot_)com

So the records involved are the SPF records for bulkmailer.com and mybikeshop.com. We'll take these in this order.

bulkmailer.com needs to publish a record that old, envelope MAIL FROM checking SPF implementations will pass when seeing the second type of e-mail. So it publishes:

        bulkmailer.com. IN TXT "v=spf1 +a:mx.bulkmailer.com -all"

If this record is used by a newer implementation that checks PRA, this almost certainly valid since bulkmailer.com could send its own mail (where it is in the PRA) from this machine. Even if it didn't, it administratively controls this machine, and is already accepting accountability for it. Such a declaration doesn't result in a loss of reputation or an opportunity for a spammer.

mybikeshop.com needs to publish a record that envelope MAIL FROM checking SPF implementations will pass when seeing the first type of mail, and newer implementations will pass with either. So it publishes:

mybikeshop.com. IN TXT "v=spf1 +a:mx.bigisp.com +a:mx.bulkmailer.com -all"

This record is slightly more liberal than the requirements. In particular, implementations checking envelope MAIL FROM against this record will Pass an envelope MAIL FROM with mybikeshop.com when coming from mx.bulkmailer.com. Given that mybikeshop.com already trusts bullkmailer.com to use its name as PRA on e-mail, it seems unlikely that mybikeshop.com would be unwilling to trust that they could set up the envelope MAIL FROM correctly.

I completely agree up to this point.

My question is: what mybikeshop.com's ISP has *already* published an SPF record for mybikeshop.com, without taking sender id into consideration? Given that SPF has been around longer than Caller-ID, and the syntax merger is extremely new, it is not unreasonable to expect that this situation exists. In this scenario, mybikeshop.com's SPF record probably looks like:

mybikeshop.com IN TEXT "v=spf1 +a:mx.bigism.com -all"

This is currently correct in an SPF classic context and produces the desired result of SPF classic: it protects against MAIL-FROM forgery. But it's not a correct SenderID record - the correct SenderID was shown in Mark's text above, and includes bulkmailer.com.

At what point is it safe for receivers to assume that mybikeshop.com's records have been updated and apply the SenderID PRD algorithm? (Here "updating" is meant to include the several approaches available, including literally updating the mybikeshop.com record and creating sub-domains for the transactional and bulk messages.)

I do not know how big this problem is, but given that there are 10s of thousands of domains publishing SPF records, and many 10s of thousands of domains (perhaps millions, depending on whose numbers you believe) using outsourced providers, it's reckless to assume that it is not a practical real world problem.

So I think we *do* need to express the record version. I am inclined to agree with Mark's point that there isn't any practical need for a permanent scoping mechanism.

Short of proof that there is no overlap between currently published v1 records and clients of ESPs and clients of outsourced shopping carts record differentiation of some sort is mandatory. Otherwise we introduce a situation where publishing is potentially more damaging that not publishing, which is a sure way to kill publication. I suppose the other possibility is that an authentication failure comes to have relatively little meaning, but that is hardly a desirable outcome either.

Margaret.