spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: purely dual-format approach

2004-11-02 13:29:50
from [Hannah Schroeter] [Permanent Link] 
Hello!

On Tue, Nov 02, 2004 at 01:33:30PM -0500, Jeff Macdonald wrote:


In mail from Yahoo Groups (yahoogroups.com) the PRA is the original sender.



And that is indeed the From header.



Most probably Yahoo will not add a Resent-Sender: or Resent-From: header.



I'd rather hear from Yahoo themselves regarding this.


I've checked a mail received from a Yahoo Group I participate in before
I wrote my recent mail where I acknowledged this.

At least in this mail, there was no Resent-* header at all, and Sender
was set to the same mail address as found in From, be it by Yahoo,
be it by the original sender's MUA, MSA or some MTA.


This means that all mail in a Yahoo Group from a domain that publishes an
SPF record will be rejected by any MTA that does PRA checking.



It was my understanding that most receivers would just add the result of
a PRA check to the spaminess of the message.


Yeah. But -all would mean that in theory this alone could already be
grounds for a complete rejection of the mail.


So if MTA's are going to use the currently published SPF records for PRA,
then mail through Yahoo Groups (and probably other mailing lists) will be
rejected and therefore the domain owners will remove there SPF records.



Just to be clear, that would be domain owners that are a result of PRA.
In the scenario you outlined above, that wouldn't be Yahoo. It would
only be for list members who publish SPF records. Yahoo doesn't
currently publish SPF records for returns.groups.yahoo.com.


And even if Yahoo did, that wouldn't be a problem if SPF would be
used for the envelope sender only, as is the intention of SPF v1.

The bad effect would happen in this case, if
1. the sender (or his provider) of the list submission had an SPF record
   *and* the receiver (or his provider) would abuse this for PRA
   checking instead of checking only the envelope sender, or
2. the sender (or his provider) sets up some record *intended* for PRA
   checking, the receiver (or his provider) used it, and the sender's
   record doesn't pass Yahoo for this PRA domain.

Kind regards,

Hannah.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF for Dummies..., Commerco WebMaster
Next by Date:  Re: purely dual-format approach, Frank Ellermann
Previous by Thread:  Re: purely dual-format approach, Jeff Macdonald
Next by Thread:  Re: purely dual-format approach, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]