MX /receive/ mail, mailout hosts may differ and, in large sites, they
typically do.
Yes, I agree with that. We actually fetch third party MX host SPF record as
well.
I have illustrated that in this image.
https://miro.medium.com/max/684/1*PKHfrnCDFy8-kvaUDY83_Q.png
Also this is how we deal with incoming human-to-human mails when the sender
is an "Unverified Stranger".
mail.example.com Connecting to mail.domboxmail.com with its IP address
domboxmail.com => 220 mail.domboxmail.com Dombox SMTP Service Ready
example.com => HELO mail.example.com
domboxmail.com => 250 Hello, nice to meet you, mail.example.com
example.com => MAIL FROM: <john(_at_)example(_dot_)com>
domboxmail.com => 250 OK
example.com => RCPT TO: <user1(_at_)domboxmail(_dot_)com>
domboxmail.com => 250 OK
example.com => RCPT TO: <user2(_at_)domboxmail(_dot_)com>
domboxmail.com =>
*550 Restricted Box. Unauthorized and UnverifiedSender. Please configure
SPF or Send this mail from one of your MXserver IP address*
example.com => RCPT TO: <user3(_at_)domboxmail(_dot_)com>
domboxmail.com => 250 OK
example.com => RCPT TO: <user4(_at_)domboxmail(_dot_)com>
domboxmail.com =>
*550 Restricted Box. Unauthorized and UnverifiedSender. Please configure
SPF or Send this mail from one of your MXserver IP address*
example.com => RCPT TO: <user5(_at_)domboxmail(_dot_)com>
domboxmail.com => 250 OK
example.com => DATA
domboxmail.com => 354 End data with <CRLF>.<CRLF>
{Message Part goes here}
domboxmail.com => 250 OK, message accepted for delivery: queued as 12345
example.com => QUIT
domboxmail.com => 221 Bye
As I mentioned earlier, my system is designed in a way to deal with spam
mails without wasting bandwidth. So all validation mechanism happens before
the DATA command.
On Wed, Sep 25, 2019 at 4:55 PM Alessandro Vesely <vesely(_at_)tana(_dot_)it>
wrote:
On Wed 25/Sep/2019 12:29:44 +0200 Viruthagiri Thirumavalavan wrote:
In my system, challenge/response methods applicable only for "verified
strangers". When the MAIL FROM says that the mail is coming from
john(_at_)example(_dot_)com <mailto:john(_at_)example(_dot_)com>, our
system going to fetch
the MX
record and check whether the mail is really coming from example.com
MX /receive/ mail, mailout hosts may differ and, in large sites, they
typically do.
Since we are talking about human-to-human mails here, we are expecting
the
mail from one of your MX servers. We also check SPF record and A record.
If
the mail is not coming from any of those IP addresses, we actually reject
the mail.
SPF works better. However, consider the analysis depicted here:
https://en.wikipedia.org/wiki/File:Mailflows-reloaded.png
Many consider reject-on-SPF-fail dubious, which is why most mail sites have
~all instead of -all. Rejecting on non-pass is definitely bad. DMARC
needs
simultaneous non-pass of both SPF and DKIM in order to reject. However,
the
most diligently authenticated messages are spam.
Best
Ale
--
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
--
Best Regards,
Viruthagiri Thirumavalavan
Dombox, Inc.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp