spf-discuss
[Top] [All Lists]

Re: Re: New ideas for RFC2822 headers checking with SPF

2004-10-23 13:59:03
 Frank Ellermann expressed the concern:

Seth Goodman wrote:

In fact if someone is offering me a message, why should I
exclude myself from scrutinizing anything in that message
before deciding to accept it?

You are of course free to do with your mail whatever you like.
It's less simple if you are processing mail for 3rd parties
(= your users), because then you can't do whatever you want
without prior consent.  Hector often cited some of the legal
aspects here.  E.g. GMail might be illegal where I live, and
maybe also in California.
...

Are we still talking about using William's Record modifier which says something
to the effect 'my 2821 MAIL_FROM should be from the same domain as (or identical
to?) my 2822 FROM' ?

I argue that the presence of that modifier in the sender's SPF policy
constitutes the sender giving a carrier (MTA-operator) the _authority_ to
inspect at least that part of the message.

So as long as one first validates the MAIL-FROM and gets an SPF 'pass' and if
the modifier is present, the sender can be taken to have given
permission/consent  for the message's FROM header to be inspected.

We should write this as an explicit part of the I-D/RFC:

 "By using this modifier in a published record, the sender gives permission for
intermediaries to locate and inspect the related content header from within the
message, and to make consequent decisions on the disposition of the message".

That should give some degree of legal protection (the usual IANAL caviat
applies).

If the sender does not agree to having the message examined, then she should not
include that modifier in her policy.

Chris Haynes



<Prev in Thread] Current Thread [Next in Thread>