On Thu, 18 Nov 2004 12:10:46 -0500, Theo Schlossnagle wrote:
On Nov 18, 2004, at 11:59 AM, Dave Crocker wrote:
> As has happened to me several times over the last few weeks, I
> needed to use machines and networks that were not in my regular
> set. This meant using MTAs that were not in my regular set.
> Some were public kiosks and some were friend's pc's, where I set
> the rfc2822.From field to be my address.
>
> All of the messages from those situations would be assessed an
> "unauthorized" and therefore would be falsely rejected.
>
That's not precisely true. IF the owner of the domain that was
present in your RFC2822 From address says that you can't do
that... then you can't do that and isn't a false positive -- It's
a painful policy.
I was not describing unauthorized usage. I was describing spontaneous usage.
SPF essentially eliminates spontaneous scenarios, by virtue of requiring
pre-registration.
It's a lot like saying that you cannot drop a postal letter into just any ol'
mailbox, because you would need to pre-register it with the letter-carrier who
will drop it in the delivery mail slot.
Of course, if people published RFC2821 policies are suddenly
interpreted in an RFC2822 context, then absolutely. Maybe I
missed the first part of this thread and that is what you are
referring to as "SPF".
rfc2821.mailfrom is set by the rfc2822.sender. so, mailfrom might appear in
the envelope, but it represents the world of the author, not the world of the
carrier (MTA) even though it registers mta information.
On Thu, 18 Nov 2004 19:00:24 +0100, jpinkerton wrote:
If you choose to use your friends e-mail service to send your
mails and spoof your own address - that's SPOOFING - and *exactly*
This nicely demonstrates the problem with mis-using important terminology.
The dictionary definition of 'spoof' is "a hoax". The computer science use of
the word is similar.
Certainly the scenarios I described were not hoaxes. There was nothing false
or misleading about the use. They were authorized and they correctly
identified the actual author (me).
what SPF tries to eliminate - it's an e-mail pretending to come
from somewhere it doesn't - just like thousands of spam mails
every minute.
There was nothing about the scenarios that involved pretending. Merely
spontaneous usage.
You could persuade your friends to have spf records which would
include your own domain of course, and that would make it work
perfectly.
We're sitting in a meeting. My friend is not a geek; they do not administer
domain names.
I need to send a message urgently. It's really important. I ask to send a
message from their pc, and set the rfc2822.From field to be my actual email
address.
Now, how is this scenario unreasonable and/or how can spf work "correctly" in
this real-world situation.
On the other hand - you could always use your considerable
technical skills to set yourself up with your own smtp-auth on
And what about supporting the 999,000,000 users of the Internet who are not
geeks?
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com