Stuart D. Gathman wrote:
Just include both SUBMITTER and MAIL FROM in the exists for the MAIL FROM.
The code in the senders DNS server then does the same check as the
receiver would. What is not happening now is checking with MAIL FROM -
only the SUBMITTER is SPF checked.
And there was an excellent suggestion to make that MAIL FROM check
a CBV check, but using DNS instead of SMTP - just lookup a name containing
the relevent info.
I have a similar request as the original request in this thread:
Suppose all mail from my mail server has a signed envelope sender and I have
set up a custom DNS server to check the signatures by using the 'exists'
mechanism. And I want to prevent that a spammer uses SUBMITTER (or similar)
with "v=spf1 all" to send spam "from my domain". So my SPF record would say
for example:
"v=spf1 only=orig exists:%{S}.ses.example.com -all".
The "only=orig" modifier would mean "check only the SPF record of the
original domain, and ignore any SPF record of the domain of the SUBMITTER
or the source route (which could be a spammer)".
Following would have to be added to the specifications:
"The SPF implementation MUST first check the SPF record of the original
domain, if known. If it contains the modifier "only=orig", then the SPF
implementation MUST ignore the SPF record of the SUBMITTER (or similar)."
Roger