spf-discuss
[Top] [All Lists]

SPF does not break forwarding

2004-05-20 07:23:33
I spent a few hours yesterday attempting to defend SPF on Slashdot.  Many 
slashdotters quoted the SPF website where it says "SPF breaks forwarding".
I am suggesting that this is misleading.  SPF does not break forwarding
when deployed by either the sender or the receiver - regardless of whether
any forwarders know about SPF or SRS.

What *could* break forwarding is a receiver that naively starts 
rejecting mail on SPF fail without taking non SPF aware forwarders 
into account.

I think it should be clear on the web site that SPF does not in itself
break forwarding, but that forwarding needs to be handled by a correct
SPF implementation for the mail receiver.  In other words, forwarding
is an annoying implementation detail, not something that SPF breaks.

Another thing that seems to escape the average slashdotter (although the
web site seems perfectly clear to me) is that SPF is *just one* of
several easily implemented ways to authenticate the return path (SES being
another), and is *not* an answer to spam (it is an answer to authentication),
and is *not* an answer to authenticating other aspects of an SMTP message.
(E.g. Yahoo Domain keys for the From: header and S/MIME for the body.)
SPF is not intended to be and should not be the only possible way to
authenticate everything - or even just the return path.

Many slashdotters felt that authenticating the return path was "useless"
because the end user never/rarely sees it.  The website should address
why return path authentication is important - without diminishing the
importance of authentication at other levels.

I would draw an analogy between SMTP authentication and IP protocol.
The original IP protocol had no authentication, and IP spoofing was rife.
Over time, routers began to apply rules to the purported source IP
of a packet.  A packet with an internal address could only legitimately
come from the internal network, for instance.  This authentication
looked only at the IP header.  Importantly for high performance routers,
it did not require waiting to receive the entire packet.

At the same time, the ESP extension header for IP addressed authentication for
the packet as a whole.

SPF corresponds to source address sanity checking (anti-spoofing).  Yahoo
Domain keys corresponds to ESP authentication, and S/MIME corresponds to IPSEC
encryption.  You need all three levels.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.