Seth Goodman wrote:
I agree that looking for SES0 or SRS0 with the originator and forward
domains the same is a reasonable way to detect an originator signed
envelope
address. _If_ the recipient has a need to validate the originator address
i.e. they do not use a trusted forwarder whitelist, they would then query
the SPF record for the originating domain. Presumably, the SPF record
would
contain an exists modifier with appropriate macros to query the DNS server
and get it to validate the address. I'm not very good with SPF macros,
but
here's an attempt at a proposal. Please feel free to improve this!
v=spf1 a mx ses:%{L}._ses.example.com -all
where ses = new modifier that says all mail is SES signed
and provides an 'exists' string to validate it;
We don't need a new mechanism "ses" because
"v=spf1 a mx exists:%{S}._ses.example.com -all"
already means following:
- accept the mail if it came from our mail server
(then for sure it has a valid signed envelope sender),
- if not, check the envelope sender by using the 'exists' mechanism,
- if that fails, reject the mail.
if there is no colon and string after this
modifier, it means that all mail is SES signed
but there is no DNS mechanism to validate it
This does not make much sense to me.
Roger