From: Roger Moser
Sent: Sunday, June 13, 2004 2:53 PM
Seth Goodman wrote:
I think we're getting close here. For the following SPF record and SRS0
rewritten MAIL FROM:,
"v=spf1 a mx exists:%{s}._ses.example.com -all"
MAIL
FROM:<SRS0=example(_dot_)com=7fGy=7G=SES0=a69L=7G=user(_at_)forwarder(_dot_)com>
the expansion of the SPF record is:
spf1 a mx exists:forwarder._ses.example.com
where a = IP expression for outgoing MTA's of forwarder.com
mx = IP of MX of forwarder.com
The %s macro is the source address, which is SPF parlance is
the _current
sender_, not the _originating sender_, which is what we want.
I therefore
expanded to "forwarder._ses.example.com" instead of
"SES0=a69L=7G=user._ses.example.com", which is, I think, what
you actually
wanted.
Now I see what you mean. If the forwarder has applied SRS and the
SPF record
of example.com says "do not check the SPF record of any
forwarder", then the
'exists' must extract the original sender from the rewitten sender.
So we need the new macro %f (First sender) which expands to the local part
of the original sender (or maybe the complete original envelope sender).
The %L that I proposed would extract the local-part of the original sender
and we might as well propose %S as the full address of the original sender
as well as %D for the domain of the original sender. These would be the
original sender equivalents of %l, %s and %d. Expanding them is not all
that complicated. Right now, we have four possible formats for MAIL FROM:
in the presence of forwards: RSR, SUBMITTER, SRS and SRS+DBBF. The latter
is an opaque format and the originator address cannot be recovered from it.
Therefore anyone using it needs to be whitelisted at the recipient, unless
the recipients don't care about forgeries. The other three formats all
convey the same information in slightly different ways. Since they are not
opaque, they can all be "unwrapped" to get the original sender. As shown
below, some are easier to deal with than others and the ones that are
simpler to deal with also happen to be "human friendly" formats:
RSR+SES
-------
MAIL FROM:<@forwarder.com:SES0=76aZ=7G=user(_at_)orig-domain(_dot_)com>
SUBMITTER+SES
-------------
MAIL FROM:<SES0=76aZ=7G=user(_at_)orig-domain(_dot_)com>
SUBMITTER:<outgoing(_at_)forwarder(_dot_)com>
SRS0+SES
--------
MAIL
FROM:<SRS0=AH83=7G=orig-domain(_dot_)com=SES0=76aZ=7G=user(_at_)forwarder(_dot_)com>
SRS1+SES
--------
MAIL
FROM:<SRS1=f5q7=forwarder(_dot_)com==AH83=7G=orig-domain(_dot_)com=SES0=76aZ=7G=user(_at_)for
warder2.com>
SR1+SRS0-at-the-originator
---------------------
MAIL
FROM:<SRS1=f5q7=orig-domain(_dot_)com==aW0k=7G=orig-domain(_dot_)com=user(_at_)forwarder(_dot_)com>
--
Seth Goodman