Friday, November 19, 2004, 9:03:06 AM, Alex wrote:
AvdB> On Thu, Nov 18, 2004 at 09:59:51PM -0800, Dave Crocker wrote:
When you walk up to an Internet kiosk in an airport and use
it's mail service, but set the From field to your home email
address, you are not spoofing anything, since the message is from
you, and you are quite authorized.
<snip>
AvdB> I am a domain owner of "provider.tld".
AvdB> I am authorizing the use of "@provider.tld" from two hosts and those
AvdB> two hosts alone.
AvdB> You are my customer and decide to send mail from another computer
AvdB> called "kiosk.otherdomain.tld"
AvdB> In this scenario, you are still who you say you are. You are not
AvdB> authorized to send mail from the kiosk.otherdomain.tld computer.
AvdB> I say again: You are _NOT_ authorized.
<snip>
Indeed this need have nothing to do with SPF, most of my commercial
customers have already made extensive use of white lists for many years
to genericly block mail from their contacts that /may/ be spoofed.
Likewise sending domains make statements that messages not originating
from their servers are to be discarded as not-authorised. The sending
domain IT people often however put in place explicit alternative methods
for unusual "kiosk.otherdomain.tld" origins as listed by Alex.
If you do not keep to the origin domain's rules or have not been
given explicit permission methods to send from an unusual location by
the domain IT or do not have existing whitelisting at a receiver for
an unusual origin then you can't expect post to be accepted but can
expect possible disciplinary action from the domain owner/employer.
(All staff should have been trained and signed the company security
policy, including Email/Internet sections)
SPF is a handy way for existing domain rules to be expressed in a
public way for examination/checking by everyone and reduce the size
and time cost of white lists. And for those introducing domain
policy to do so efficently and publicly.
--
Best regards,
Shane