[Top] [All Lists]

Re: Concluding the SPF and Sender ID experiments

2009-02-26 15:43:50

MH Michael Hammer (5304) wrote:

From: Jeff Macdonald [mailto:jmacdonald(_at_)e-dialog(_dot_)com]

nice. We also do both for our clients, but RFC5321From and RFC5322From
are different domains, so for spf2.0 we specify PRA.

For our website domains we require that the RFC5321Mailfrom and the
RFC5322From match for all outgoing mail. Specifying PRA for spf2.0
invites certain kinds of attacks that will gain the attacker a neutral
for PRA check.

Right, like this list message.  A PRA check would of provided a SoftFail.

It came in with a 5321.MailFrom:


which unfortunately doesn't support SPF. :-(

If this mailers at the very least supported submitter, it would of used:

  MAIL From:<owner-ietf-smtp(_at_)mail(_dot_)imc(_dot_)org> 

This would allow receivers to lower their overhead by checking at the SMTP level. Instead, our server did a bunch of checks.


Hector Santos