On Thu, 2004-12-09 at 14:10, Frank Ellermann wrote:
Douglas Otis wrote:
there are ways to prevent the SPF record from being
discovered from sub-domains negating supposed spoof
protections.
What are you talking about ? If your domain is an.example,
and your users use MAIL FROM:<user(_at_)an(_dot_)example> via your MSA,
which says HELO msa.an.example, and if you have SPF sender
policies "v=spf1 a:msa.an.example -all" for an.example and
"v=spf1 a -all" for msa.an.example, where's the problem ?
Those wishing to spoof a domain could add a label that already has a
record such as-
MAILFROM:<user(_at_)name_of_inbound_smtp_server(_dot_)an(_dot_)example>.
The query for the SPF TXT RR at name_of_inbound_smtp_server.an.example
will fail. They may even HELO some_existing_record.an.example. The
fact that IP addresses do not match will not be a problem. No SPF TXT
records will have been found however.
there is no way to know if the recipient of a message from
such an SPF-domain will be forwarding the message.
Yes, the "S" in SPF stands for "sender policy". As soon as
the receiver does interesting things they are his business.
If the receiver checks SPF at the wrong place resulting in a
FAIL and reject, then he should fix his routing, or find any
other solution for his problems, the sender didn't cause it.
The "all authorized senders are listed" policy causes the problem!
There is no way to know in advance which recipient forwards mail so, in
essence, this is a false claim that damages the integrity of the mail.
Unless this damage is intentional with the belief mail forwarding, as it
exists today, should not be used, no SPF record should claim "-all".
There is no right place for these records.
-Doug