On Fri, 2004-02-27 at 04:30, David Woodhouse wrote:
If you have the right to speak for all users of your domain, and you
don't wish any user at your domain to be able to send email to users at
virtual domains or users who have forwarding setups, that makes sense.
If you own the domain, and they are your users, why would you not have
the right to speak for them? (: To me, this argument assumes that a
site that receives mail would deploy SPF checking irresponsibly:
If a remote user's final delivery server checks SPF records, and that
remote user chooses to use a forwarding system that forges the envelope,
I fail to see how that is either you or your user's problem as the
sender. If the destination system's admins who have decided to check
SPF records have failed to educate their users on how to properly
forward mail to their systems as the destination, or if forwarding to
their systems is even allowed, whether or not your user sends mail to
them is irrelevant. Yes, the mail will not get through, but it is
clearly the remote destinations responsibility to properly deploy SPF
checking, including educating their users, and it is their users'
responsibility to properly forward mail to that destination (or not
forward mail at all). That destination system has chosen to respect the
rights of the sender domain and conform to their stated policy, which
MAY be strict enough to cause irresponsible forwarding mechanisms to
cause an SPF fail at the destination. The recipients need to account
for that, because it is not your responsibility as the sending
user/system; your simply publishing your desired policy.
When I implemented SPF checking on one of my small vanity domain
servers, I sent notice to my users that yes, if they use a forwarder
that does not rewrite the envelope sender (ask your forwarder if they do
this!), then some mail sent to their forwarding address from any domains
that publish SPF will probably not make it (actually, at this point I'm
just adding a 'fail' Received-SPF header, but I digress). If they
continue to forward email via an irresponsible system, it is the user's
fault because they have been educated, not the user or system that is
trying to send them mail.
--
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.