I wrote:
Now I see what you mean. If the forwarder has applied SRS and the SPF
record
of example.com says "do not check the SPF record of any forwarder", then
the
'exists' must extract the original sender from the rewitten sender.
So we need the new macro %f (First sender) which expands to the local part
of the original sender (or maybe the complete original envelope sender).
I am taking that back. We do not need a new macro because the routine that
examines the SPF record of the original domain already has extracted the
original envelope sender (otherwise it would not know what the original
domain is).
Here are some examples:
(assuming that the SPF record of example.com is
"v=spf1 only=orig a exists:%{l}.ses.example.com -all")
1. The MTA receives mail directly from example.com saying
MAIL FROM:<SES0=a69L=7G=user(_at_)example(_dot_)com>
--> The SPF record of example.com is examined. The 'a' mechanism returns
'pass' and the mail is accepted.
2. The MTA receives mail from forwarder.com (doing neither SRS nor RSR nor
SUBMITTER) saying
MAIL FROM:<SES0=a69L=7G=user(_at_)example(_dot_)com>
--> The SPF record of example.com is examined. The 'a' mechanism fails, but
'exists' returns 'pass' and the mail is accepted.
3. The MTA receives mail from forwarder.com (doing RSR) saying
MAIL FROM:<@forwarder.com:SES0=a69L=7G=user(_at_)example(_dot_)com>
--> The program extracts the original sender
(SES0=a69L=7G=user(_at_)example(_dot_)com)
and with that email address examines the SPF record of example.com. The 'a'
mechanism fails, but 'exists' returns 'pass' and the mail is accepted.
4. The MTA receives mail from forwarder.com (doing SRS) saying
MAIL
FROM:<SRS0=7fGy=7G=example(_dot_)com=SES0=a69L=7G=user(_at_)forwarder(_dot_)com>
--> The program extracts the original sender
(SES0=a69L=7G=user(_at_)example(_dot_)com)
and with that email address examines the SPF record of example.com. The 'a'
mechanism fails, but 'exists' returns 'pass' and the mail is accepted.
This works only if following formats are used:
SRS0=HHH=TT=orig-domain=orig-local-part(_at_)domain
SRS1=HHH=orig-local-part==HHH=TT=orig-domain=orig-local-part(_at_)domain
5. The MTA receives mail from forwarder.com (doing SRS+DBBF) saying
MAIL FROM:<SES0=aHhf6sKu6Grf65HJfR5Fu(_at_)forwarder(_dot_)com>
--> The program cannot extract the original sender and examines the SPF
record of forwarder.com. If the SRS was applied by the forwarder, the result
is 'pass' and the mail is accepted.
6. The MTA receives mail from spammer.com saying
MAIL FROM:<@spammer.com:SES0=ABCD=XY=user(_at_)example(_dot_)com>
--> The program extracts the original sender
(SES0=ABCD=XY=user(_at_)example(_dot_)com)
and with that email address examines the SPF record of example.com. The
result is 'fail'. Since there is the modifier "only=orig", the program does
not examine the SPF record of spammer.com and the mail is rejected.
Roger