"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:
Whitelists can work, depending on your environment. I should point out that
a whitelist is valuable to the extent that you can verify that the mail
actually came from the whitelisted address and is not a forgery.
Unless I am mistaken, forwarders are normally for the convenience of
and work on behalf of the recipient not the sender. So the recipient
will normally know what forwarders he has set up (eg xxx(_at_)pobox(_dot_)com
will be forwarded to yyy(_at_)actual(_dot_)mail(_dot_)com). In which case would
it not
be possible to just have the forwarder do the SPF check and for the
recipient to whitelist the IP address(es) (which almost by definition
are trusted) of the forwarding systems. This would, of course, will
only work if there is only one forwarder and not have a forwarder
forward to another forwarder. Though I cannot think why someone would
want to use a chain of forwarders rather than having the first one
forward to the eventual destination (except in the case of anonymising
crypto forwarding, but SPF check on the originator would not be
possible in this scenario anyway)