I think we're on the same page and all is well.
I will take a quick stab at addressing one point regarding the new scheme
and then sign off for the night. (I'm not responding to all points you
made, since we're mostly in agreement :)
--Seth Goodman <sethg(_at_)GoodmanAssociates(_dot_)com> wrote:
>> [Regarding SES in combination with localpart macros, exists:%{l}....]
I guess we now have to take account of the fact that SPF checks are only
done on MAIL FROM: at the first hop. At the second and subsequent hops,
we now use (RFROM -> FRED ->) DAVE parameter, the SPF check on (PRD ->)
PRA does not validate the return-path.
That is correct. The way I understand it, if the RFROM parameter is there,
you would check that, and NOT check MAIL FROM. This is similar to, if the
MAIL FROM is an SRS rewrite, you would normally only check the SPF record
for the forwarder's domain.
If the message has been forwarded, but there is no RFROM, we would check
the 2822 headers and try to glean who forwarded it, if any.
So if A or MX are matching, answer PASS, otherwise do the DNS check.
That's quite nice. The new convergence makes this somewhat messier. On
the first hop, there is no DAVE parameter, so the SPF test is done on
MAIL FROM: and your SPF record would do the job quite nicely. On
forwarding hops, the DAVE parameter is SPF checked and the 'exists' part
is no longer appropriate, at least with current SPF macros. To make this
practical, we'd need additional SPF macro terms to specify the parts of
the MAIL FROM: address instead of the DAVE address.
Right, I'm assuming that if RFROM checks out OK, you would just skip MAIL
FROM entirely. If RFROM is present, then only a PASS result is acceptable.
But, the SPF checking would be done against RFROM's domain anyway.
The ideal case is if the SPF-aware forwarder is checking SPF on the way in,
then if you are a customer of the forwarder, you can trust that the first
hop check has already been done. I don't know what would happen if we had
to check the correctness of previous hops besides the current one.
OK see you later!
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>