spf-discuss
[Top] [All Lists]

Re: The New SPF: introducing RFROM

2004-05-26 06:47:14
Seth Goodman wrote:

I don't think you're missing anything.  Source routing is a deprecated
practice in RFC2821, as you mentioned.  The only issue I see is that a mail
sender should not be permitted to _specify_ a source route.  That is an old
practice that is clearly not needed and incompatible with how email works
today.  However, I don't see that there is any harm in recording the route
actually taken in the MAIL FROM:, as an alternative to putting the current
sender in RFROM.  Similar to RFROM, it is really an advance look at the key
information in all the received headers made available before DATA.  The
other question is a political one:  is it easier to get through a new ESMTP
extension or to revise RFC2821?  I suppose that the SPF RFC could just
declare we will use source route format for MAIL FROM:, since it _is_
required in RFC2821 that all recipients handle it correctly, even though it
is deprecated.

There is some good to be had by doing the hopefully redundant PRA extraction
on the headers.  We would like to catch the situation where the 2821
information is compliant with SPF but the 2822 message headers are something
else entirely.  The PRA extraction and the requirement that PRA matches
either MAIL FROM: or RFROM, if it is available, is a key step in making sure
the 2821 and 2822 information agree.

What do others think?


This sounds like a good solution to me, it avoids "flag day" problems,
makes use of existing infrastructure, and minimizes complexity.

Of course SPF can only verify the last hop, but that should be
reasonable and sufficient.

--
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203