On Thu, 7 Oct 2004, Tony Finch wrote:
Or maybe you really do mean what your SPF record says and you want to be
unable to email a large proportion of open source software developers and
academics, etc.
SPF records authenticate the first hop only (except with SES). An MTA
that attempts to apply it to subsequent hops is broken. There are several
competing methods for distinguishing first hops from forwards, and for
authenticating forwards. I'll review them here off the top of my head.
Keep in mind that forwarding is something set up by the mail receiver.
Greeting card sites are the senders choice and the senders problem - they
should not be called forwarders for the purposes of this discussion.
Mailing lists already work with SPF (unless they are really braindead).
Also, I DO REALIZE that large ISPs typically don't have any method in
place for users to configure forwarders - and hence they feel that they
don't have any choice of forwarders. This is not true. They have chosen
a policy that lets users choose forwarders without restriction or
feedback.
=== The null methods which don't really address the problem ===
0) don't check SPF - then you won't reject any legit mail
0.5) check SPF, but don't reject FAIL. Convert the result to
a score which is combined with other measures. (Spamassassin)
=== Addressing the problem at the receiver and forwarder ===
1) SPF compliant forwarders check SPF and implement SRS.
Receiver checks SPF on all mail, but accepts SRS mail only from trusted
type 1 forwarders. This is the standard option originally envisioned
by the SPF developers.
1.5) SPF compliant spammers do SRS but don't check SPF.
Receiver checks SPF on all mail. Any forwards without SRS will bounce.
Spammers will be able to send the receiver forged email
with their SPF compliant SRS forwarder (which doesn't
check SPF). This is the *worst* option, but seems to
be the one most people gravitate toward, and the one
attacked by critics of SPF.
2) Forwarders check SPF but don't implement SRS.
Receiver accepts all mail from trusted type 2 forwarders without
checking SPF. Secondary MXes will likely be type 2,
but it works for other forwarders as well. Hey - if you trust
the forwarder to do SPF for you, why bother with SRS?
3) Forwarders don't check SPF or do SRS.
Receiver accepts all mail from trusted type 3 forwarders without
checking SPF. Hey - it's no worse than before.
All of the above can be configured per recipient for large ISPs. Give
the user a web page where they can list their forwarders with type.
The user only needs to select 'SRS Forwarder' or 'Standard' for type (or
tick an SRS checkbox). The handling of type 2 and 3 forwarders is the same at
the ISP.
=== Addressing the problem at the sender ===
4) Use SES to sign outgoing mail, and validate via exists in the
SPF record. Works with all kinds of forwarders.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.