spf-discuss
[Top] [All Lists]

2.3 Checking Authorization

2004-10-14 08:58:14
If the SPF check is not done when it is received, then how will the error be
returned to the sender?  Malformed domain!  What about forged addresses,
would you send a bounce back to the forged address?  Not good!  This is what
SPF is trying to stop!

Please consider changing SHOULD to MUST in this line:
        Software SHOULD perform this authorization check during the
processing of the SMTP transaction that injects the mail.

Thanks,
Guy

From the draft:

2.3  Checking Authorization

   A mail receiver can perform an SPF compliant check for each mail
   message it receives.  This check tests the authorization of a client
   host to inject mail with a given "Mail From" identity.  Typically,
   such checks are done by a receiving MTA, but can be performed
   elsewhere in the mail processing chain so long as the required
   information is available.

.
Snip
.

Software SHOULD perform this authorization check during the
   processing of the SMTP transaction that injects the mail.  This
   allows errors to be returned directly to the injecting server by way
   of SMTP replies.  Software can perform the check as early as the MAIL
   command, though it may be easier to delay the check to some later
   stage of the transaction.

   Software can perform the authorization after the corresponding SMTP
   transaction has completed.  There are two problems with this
   approach: 1) It may be difficult to accurately extract all the
   required information such as client IP address and HELO domain name.
   2) If the authorization fails, then generating a non-delivery
   notification to the alleged sender is problematic as such an action
   would go against the explicit wishes of the alleged sender.