spf-discuss
[Top] [All Lists]

RE: Some thoughts about spam and SPF

2004-08-23 09:01:18
From: Meng Weng Wong
Sent: Friday, August 20, 2004 9:20 PM


On Thu, Aug 19, 2004 at 10:32:28PM -0400, Scott Kitterman wrote:
| OK.  If I sign up and want to send e-mail from my domain, how do you
| determine if I'm an authorized user of that domain?  What
| prevents your
| other customers from forging my domain?  SMTP Auth says
| that I'm a customer
| of yours.  It doesn't, in and of itself, say what domains
| I'm authorized to send mail from.

consider pre-emptive SPF checks on outgoing mail :)

I was interested in the same thing a while back, but I don't think SPF
has quite the semantics necessary.  A domain owner can publish a record
saying that, in addition to their own MTA, legitimate mail can come from
JoesISP.net.  However, it doesn't give JoesISP a clue as to which of his
users is permitted to use what address at the foreign domain.  This is
why you run into a quandary when trying to set an ISP as secondary mail
source for the convenience of some employees:  anyone at that ISP can
then use any address at your domain.  You are forced to use "?" in the
record, which in the long run means a lower grade of delivery.

What would be really nice for ISP's is if the domain owner could somehow
publish what user at a given ISP could use what address at his domain.
Then the domain owner could put a "+" in front of that record and the
ISP would have a zero-administration method of forgery prevention.  Of
course, the real answer is for the domain owner to provide SMTP AUTH and
use the ISP for connectivity plus personal mail services.  That way,
there are no additional MTA's listed with "?".  If enough MTA'S provided
SMTP AUTH access, maybe, just maybe, ISP's could be convinced that their
customers sending out mail as anything but user(_at_)ISP(_dot_)net constitutes a
forgery.  Sorry, I must have been daydreaming.

--

Seth Goodman