From: Roger Moser
Sent: Friday, June 11, 2004 6:01 PM
Seth Goodman wrote:
I agree that looking for SES0 or SRS0 with the originator and forward
domains the same is a reasonable way to detect an originator signed
envelope
address. _If_ the recipient has a need to validate the
originator address
i.e. they do not use a trusted forwarder whitelist, they would
then query
the SPF record for the originating domain. Presumably, the SPF record
would
contain an exists modifier with appropriate macros to query the
DNS server
and get it to validate the address. I'm not very good with SPF macros,
but
here's an attempt at a proposal. Please feel free to improve this!
v=spf1 a mx ses:%{L}._ses.example.com -all
where ses = new modifier that says all mail is SES signed
and provides an 'exists' string to validate it;
We don't need a new mechanism "ses" because
"v=spf1 a mx exists:%{S}._ses.example.com -all"
already means following:
- accept the mail if it came from our mail server
(then for sure it has a valid signed envelope sender),
- if not, check the envelope sender by using the 'exists' mechanism,
I think we're getting close here. For the following SPF record and SRS0
rewritten MAIL FROM:,
"v=spf1 a mx exists:%{s}._ses.example.com -all"
MAIL
FROM:<SRS0=example(_dot_)com=7fGy=7G=SES0=a69L=7G=user(_at_)forwarder(_dot_)com>
the expansion of the SPF record is:
spf1 a mx exists:forwarder._ses.example.com
where a = IP expression for outgoing MTA's of forwarder.com
mx = IP of MX of forwarder.com
The %s macro is the source address, which is SPF parlance is the _current
sender_, not the _originating sender_, which is what we want. I therefore
expanded to "forwarder._ses.example.com" instead of
"SES0=a69L=7G=user._ses.example.com", which is, I think, what you actually
wanted. Also, the "a" and "mx" modifiers refer the _current sender_, not
the originating sender, so they can't be validated for your domain once the
mail has been forwarded. This is why we need some other way to express the
fact that the exists modifier should be expanded with the originating
address, not the current sender address. We also only want the local-part
of the originating address. I proposed using the new ses: modifier with the
new %L macro as one, perhaps crude, way to do this, but that is the
functionality I was trying to achieve. If there is a better way to do this,
all suggestions are welcomed.
- if that fails, reject the mail.
if there is no colon and string after this
modifier, it means that all mail is SES signed
but there is no DNS mechanism to validate it
This does not make much sense to me.
There has to be some way to validate the SES address. At the moment, the
only way is via CBV, which seems somewhat unpopular, even though a number of
large sites use this mechanism today for plain return-path addresses. Greg
and Stuart proposed a custom DNS module that can handle the
SES/SRS-at-the-originator signature validation. This is ideal since it
shifts the validation load to the sender, but keeps network bandwidth
minimized since it is a short DNS query (via UDP) with an even shorter
reply. However, this methodology does not currently exist. Therefore, I
was just trying to provide for the case where a domain signs its outgoing
mail with SES but does not have the DNS infrastructure to validate the
signature. It just says, "Though I can't provide signed address validation
services through DNS for my domain, please reject any message purporting to
be from my domain that does not bear an SES signature". This is not a very
strong test, but it is better than nothing. It's kind of like those little
tiny locks on the zippers of a suitcase. They only keep out a casual thief
and anyone who really cares to get in can easily do so. However, they do
stop some theft, so they are probably worth using. I'm not tied to this
functionality, it just seemed like a reasonably cheap way to reject some
junk in some cases.
--
Seth Goodman