On Thu, 2004-04-22 at 17:57, Lars Dybdahl wrote:
With SPF, you simply state, "which servers may act legitimately".
If you include the forwarder, it's legitimately. If not, it's not.
You don't normally list a forwarder as a designated sender in an SPF record.
Exactly. Which is why a forwarder cannot normally legitimately send messages
on behalf of that e-mail address. Which is also why SRS or whitelisting
of the forwarder is needed.
As an aside, when suggesting a ~/.trusted-forwarders file with lines
such as:
include:user(_at_)example(_dot_)com
I had imagined, (admittedly somewhat vaguely) that it would be possible
to implement something somewhat like this with a couple macro-based
modifiers in the spf record, so that an spf record could directly list
machines and users to accept forwards from, or list an "exists"-type
macro that in turn references lists of who to accept forwards from.
I'm not thinking of this as a claim of "we accept forwards from", but
more of a convenient way to publish a list of fully qualified mail
addresses or domains that other people might want to accept forwards
from--very useful for things such as publicizing directly-usable
corporate policies.
A company could list all it's trusted forwarders in a record associated
with an internal mail domain, as could individual project groups within
the company.
Then people setting up mail-servers within the company could include:
well-known company domains in /etc/trusted-forwarders, and let the owner
of that internal domain deal with all the chase-after-policy-change
hassles.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com