spf-discuss
[Top] [All Lists]

Re: Global whitelist: wl.trusted-forwarder.org

2003-10-17 11:24:18
I've got two name servers at my immediate disposal, each on a dual T1-circuit going to different providers. I could also throw up another name server in our stealth.net space, another 5MBs right there, but I'm not sure if we're going to keep the Stealth account for another year.

It'd be nice if we had a few people with actual backbones willing to host these, but I don't mind tossing some of our resources onto the pile in the meantime.


wayne wrote:

In <3F8F0960(_dot_)9030206(_at_)eztradelive(_dot_)com> Andrew Boling 
<davin(_at_)eztradelive(_dot_)com> writes:


I just subscribed so I'm a little behind on the discussion, but we may
be able to give you a hand over here. What're we looking at here, a
standard DNS server or something else you've developed?



The discussion basically starts with this post:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0053.html


The problem SPF faces is that many legitimate (and large) mail servers
"forge" the envelope-from when sending out email.  This includes
things like eBay.com when a bidder asks a seller about an auction.  If
the bidder uses a domain that has published SPF records and the
seller's MTA checks SPF, then the email will be rejected because it is
"forged".
In theory, eBay.com needs to update their mail server to not forge the
envelope-from, but that isn't likely to happen in the immediate
future.  One alternative is for all domains that publish SPF records to
include eBay's IP addresses as "allowed mailers", but that would be a
nightmare to maintain.  Another alternative is for all systems that
check the SPF system to also check a whitelist of some kind, but
again, maintaining this whitelist is going to be a pain for everyone
to do.

The solution:  create a global whitelist of mail servers that forward
(or generate) email with forged envelope-froms but are trusted to do
so for legitimate purposes.  Then, only the maintainers of the DNSWLs
will need to keep things up to date.


Again, in theory, these DNSWLs should eventually go away after most
of the important systems have converted to SPF.


Right now, it is a somewhat open question about how these DNSWLs
should be used.  (It is an open question, because I don't think it has
been discussed.)

Option one:  Systems that check SPF *MAY* check one or more DNSWLs.
These systems may have to whitelist certain special cases anyway.

Option two:  Domain owners could add "!dnsl:wl.trusted-forwarder.org"
to their SPF specs.  They could also add any other DNSWLs that they
trust to be well maintained.


If we choose to recommend option one and a domain owner doesn't like a
particular DNSWL, they can add "dnsl:wl.trusted-fowarder.org" to their
spec.


-wayne

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>