On Fri, Nov 19, 2004 at 12:26:37PM +0000, Mark wrote:
I think it's been said before, but such an IT organization would be
irresponsible and recklessly incompetent. Not saying that's
impossible -- of course there are IT organizations that don't do their
jobs. They would be guilty of not doing their jobs correctly if they
restricted you from sending and then didn't give you a way to send
stuff that is supported.
[...]
If you're a senior network administrator, and you have been
granted/decided to set "-all" for your company's domains, then yes, it is
reasonable that you are aware of the consequences, and that you have
provided "trusted mechanisms" to authenticate/authorize relays for those
situations where "-all" would come to bite you in the ass. So, it is not
so much, I believe, that Vivien's argument falls on deaf ears; but ere
that there is no framing a sender policy around stupidity.
This does not take into account that sometimes on the receiving end
things go wrong.
Receivers think they are allowed to resubmit messages using the original
envelope sender. This means a message is sent from an MTA that is not
authorized to use the RHS.
While I think this is a problem that should be solved separate from SPF,
it is something that is easily overlooked by
-a- network admins (some of them)
-b- users of the domain (most of them)
When publishing "-all", one is publishing a policy that does not allow
using the domain for any purpose. This includes
forwarding_without_changing_the_envelope (NOT forwarding in itself).
Forwarding in itself is not something that the SPF community needs to
discuss. Using a RHS not under control of the submitting MTA is.
I think it is time to discuss forwarding without changing the envelope
(and I do _not_ mean this should be an SRS/SES discussion) and take a
stand. We won't reach consensus, but I am confident we can reach rough
consensus.
Here's my opinion:
When my domain sends a message to a third party, this third party should
not use my domain name when it decides to forward the message. If it
needs to forward the message, it should generate a new message, either
copying the content or attaching the original message, and use its own
envelope to send that new message. It is up to this third party to select
a tool (be it SES or whatever) to streamline this work.
Using someone else's RHS is bad, not only from an SPF perspective. It
has worked for a long time, just like phishing. It is not an SPF problem.
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.