From: Julian Mehnle
Sent: Wednesday, October 27, 2004 8:45 AM
Seth Goodman [sethg(_at_)GoodmanAssociates(_dot_)com] wrote:
Hey, I agree with both of you on this. This is where SPF started and I
think it's still the right approach. Authenticate the 2821 address
first, and then hope that the domain owner enforces submission rights
and publishes that fact to allow you to look for equivalence of 2821
and 2822 sender addresses.
I thought one of the main points of RFC 2822 checking was to avoid the
forwarding problems of RFC 2821 checking. If you do both, you might get
the worst of both worlds.
There must be something in the way I'm expressing myself on this, because
every time I post on this I seem to create more confusion. It appears I
have a natural talent for this. I am not, not, not {...} advocating the
dual-purposing of records written for a single, clear purpose. That is
faulty logic and will result in serious problems for anyone that does this.
It won't be us because we understand the consequences. What I was
advocating is not an option for very many people, because as Frank has
correctly pointed out, the "enforce submission rights" part of RFC2476 only
covers the return-path and is optional at that. While some ISP's enforce
the MAIL FROM: submission rights, I've yet to hear of one who actually adds
a Sender: header when the From: does not match MAIL FROM:. That's not even
a SHOULD in the RFC, it's a MAY, so don't hold your breath.
Now, if you happen to run your own mail server (or ISP) and you _do_ enforce
your users' use of both 2821 MAIL FROM: and 2822 From:/Sender:, you _should_
be able to publish the fact that you enforce this strict sender policy. You
will be asking recipients who are presented with messages that do not meet
this policy to please reject them since they could not have come from you.
If you really do run that clean an MSA, you will be doing both yourself and
the potential forgery victims a favor. What's wrong with that?
This is not using any existing spf1 record for a purpose that was not
intended. No one with an existing record would have their record
interpreted any differently than it is today. It requires the domain owner
who runs a particularly strict operation to actively publish an additional
modifier ("eh" suggested by William for "equivalent headers") that informs
recipients of their strict outgoing controls. This is a modifier, not a
mechanism, so hosts that don't understand it MUST ignore it. I cannot see
how this will impact anyone negatively and people who do a very good job of
running an MSA and wish to publish that fact will get a slight benefit.
Most of us, myself included, will not be in a position to benefit from this
as our providers do not yet meet these standards. But for the few providers
who take the trouble to really do it right, meaning enforcing submission
rights on both 2821 and 2822 identities and providing SMTP AUTH so their
customers can always send from their own servers, why can't we give them a
small benefit and some encouragement in the form of extra joe-job protection
that doesn't cost the rest of us anything?
--
Seth Goodman