Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
What Doug means is that email can legitimately come to my servers from
an IP address that is not anticipated by example.com because there was an
extra hop in its journey:
I understand, but that doesn't affect the SMTP server which performs
that validation.
The multi-hop problem can be re-phrased as "any message must pass
all checks at all intermediate hops for it to reach the final
destination." This restriction is nothing new to SMTP. The specific
technique of authentication records in DNS is new.
I cannot work around this problem: I have no reasonable way of knowing
that this forwarding relationship exists, or if I do know about it I have
no reasonable way of maintaining a list of example.edu's outgoing email
servers in order to whitelist them.
And I don't see why (in the idealogical sense) this would be your
problem. If other sites are forwarding your users messages, then
that's a matter between them and the users. You shouldn't have to be
involved.
Practically, the practice is common, and people resist mightily
changing their habits.
We have to decide if the gain to some from performing MTA
authentication is worth the cost to others. The people paying the
cost naturally don't want to do so. That's what this WG is about.
Maybe there is an alternate implementation where you don't have to pay
the cost. We should find it, if possible.
If not, I don't see why your need to have forwarding for your users
should have any impact on my need to do what I want with my domain.
Alan DeKok.