spf-discuss
[Top] [All Lists]

Re: SUBMITTER is a bad idea

2004-06-04 04:40:31
Michael R. Brumm wrote:

Ok, anyone got anything written up on various implications of resurrecting
reverse source path for use with SPF?

And, if you need to add SES to reverse source path to prevent bounce
forgery, then why not just use SRS?

First, you cannot add SRS to a 64-character local part.

Second, SES is added by the original MTA only, whereas SRS has to be added
by ALL forwarders in the world.

For example if example.com sends MAIL FROM:
<John(_dot_)Smith-ses-hash(_at_)example(_dot_)com>, then the forwarder just has 
to prepend
his domain name:
MAIL FROM: <@forwarder.com:John(_dot_)Smith-ses-hash(_at_)example(_dot_)com>

SPF will then check the SPF record of forwarder.com. And if it does not
publish an SPF record, then SPF will then check the SPF record of
example.com that probably has something like "v=spf1 mx
exists:%{S}.ses.example.com -all" and if the SES verification succeeds the
result will be 'pass' even if the forwarder did not hear about SPF.

Roger