spf-discuss
[Top] [All Lists]

Re: Bootstrapping trust model

2004-06-15 05:09:52
Seth Goodman wrote:

3) One user sends mail on behalf of another user - this is
even more rare, but is also in the RFC's.  In this case,
there is one From: address and one Sender: address.  The
Sender: address takes precedence
[...]
5) Other cranky people who insist on setting a different
address for bounces

Now wait, that's not too unusual, or at least I do it every
day.  My From: (see header) normally matches the Mail From,
when I use the smart host of my mail provider.  But this is
actually an ISP, and they only relay for me while I'm online
using this ISP.

For some private reasons (read: online costs ;-) I regularly
use another ISP on Sundays and from 9:00 to 18:00 on weekdays.
This 2nd mail provider does the right thing, they won't allow
me to forge the MAIL FROM, and therefore my mail is sent with
a "MAIL FROM my address at 2nd ISP" and a "From my address at
1st ISP".

In theory I could add a Sender = 2nd address.  In practice my
MUA doesn't do this automatically.  In theory the MSA of the
2nd ISP could add a Sender = 2nd address.  In practice they
don't do it.  Therefore there's IMHO a case 5.a, where the
recipient could handle the missing Sender as if it would match
the obvious MAIL FROM (and continue with your case 3).

Another possible solution for me would be to use my 2nd address
as From = MAIL FROM, and my primary address in a Reply-To.  But
this solution wouldn't work in some cases (mailing lists. old
software, etc.).  Therefore I'm quite happy with a (correct)
MAIL FROM for technical problems and an independent From for
normal replies.  If you want a Sender matching the MAIL FROM
just pretend that it's there.

Really weird is IMHO Sender <> From <> MAIL FROM <> Sender, or
at least I don't see why this should be allowed.  But the case
MAIL FROM <> From and no Sender could be handled like case 3:
MAIL FROM <> From and Sender ~ MAIL FROM.

If there are any significant cases that this breaks, not as
in "I might have to change something", but rather "I must
have this functionality for the following reason and I can't
use any of the workarounds", please speak up.

                 Done, bye, Frank