spf-discuss
[Top] [All Lists]

Re: a "never relays" parameter

2004-06-11 16:00:40
Seth Goodman wrote:

I agree that looking for SES0 or SRS0 with the originator and forward
domains the same is a reasonable way to detect an originator signed
envelope
address.  _If_ the recipient has a need to validate the originator address
i.e. they do not use a trusted forwarder whitelist, they would then query
the SPF record for the originating domain.  Presumably, the SPF record
would
contain an exists modifier with appropriate macros to query the DNS server
and get it to validate the address.  I'm not very good with SPF macros,
but
here's an attempt at a proposal.  Please feel free to improve this!

v=spf1 a mx ses:%{L}._ses.example.com -all

where ses = new modifier that says all mail is SES signed
              and provides an 'exists' string to validate it;

We don't need a new mechanism "ses" because
"v=spf1 a mx exists:%{S}._ses.example.com -all"
already means following:
- accept the mail if it came from our mail server
  (then for sure it has a valid signed envelope sender),
- if not, check the envelope sender by using the 'exists' mechanism,
- if that fails, reject the mail.

              if there is no colon and string after this
              modifier, it means that all mail is SES signed
              but there is no DNS mechanism to validate it

This does not make much sense to me.

Roger