spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RFC 2822 groveling after flag day

2004-05-26 18:35:46
from [Seth Goodman] [Permanent Link] 
From: Daniel Quinlan
Sent: Wednesday, May 26, 2004 8:05 PM


Reading the "new spf" slides of Meng Weng Wong, slide 0332 says in part:

  - If DAVE not provided,
    - before flag day, grovel through RFC 2822 headers.
    - after flag day, use FROM directly.

(Meng Wong confirmed that "FROM" means MAIL FROM here.)

So, let's say flag day has happened and everyone is miraculously using
the DAVE parameter.  Now, does this mean you no longer need to parse RFC
2822 headers?  I don't see how you can ever avoid it.  ...


You are right on both counts, though it may not be obvious why.  The
before/after flag day difference has to do with whether or not you can do
_any_ SPF checks before DATA.  Before flag day, you can only do SPF checks
before DATA if there is a DAVE.  If the SPF result is anything but PASS, you
reject before DATA.  If the SPF result is PASS, you move on to DATA, go
through the headers to extract PRA and make sure PRA == DAVE.  If it
doesn't, you reject at the end of DATA.  If it does, you accept the message.

If there is no DAVE and it is before flag day, you can't tell if the message
is coming from the originating gateway MTA or if the forwarder just hasn't
implemented DAVE yet.  Therefore, you have to go through the headers to
extract PRA and do the SPF check on that.

Now, after flag day, you assume that forwarders are SPF compliant.  No DAVE
means that the message is from the originating gateway MTA and you do the
SPF check on MAIL FROM:.  That is because DAVE would be the same address in
this case, so the originator can omit the redundant parameter.  If there is
a DAVE, it is either a forward or the originator decided add DAVE anyway (I
believe this is legal, maybe Meng can clarify).  You then do the SPF check
using DAVE.  Either way, anything but an SPF result of PASS means reject
before DATA.  An SPF result of PASS means go on to DATA, go through the
headers, extract PRA and make sure PRA == (address used for SPF check).  If
it doesn't, reject the message at the end of DATA.  If it does, accept the
message.

In all cases, both before and after flag day, you still have to go through
the headers and extract PRA.  The only difference is that before flag day,
if there is no DAVE, you cannot do an SPF check before DATA.

Hope this helps (and I hope Meng will correct me if it's wrong).

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RFC 2822 groveling after flag day, Daniel Quinlan
Next by Date:  Re: Using SPF w/o XML, wayne
Previous by Thread:  Re: RFC 2822 groveling after flag day, Daniel Quinlan
Next by Thread:  Re: RFC 2822 groveling after flag day, Daniel Quinlan
Indexes:  [Date] [Thread] [Top] [All Lists]