-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of David
Woodhouse
Sent: dinsdag 23 november 2004 11:30
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Sendmail white paper
On Mon, 2004-11-22 at 20:40 +0000, Mark wrote:
When you put it like that, it sounds like it is "my" decision; but it
is really that of the domain owner. I take it an admin who adds
"-all" SPF records is sufficiently confident about the manner in which
mail for his domain is going to be relayed.
You directly contradict what Scott Kitterman says. He says it's OK to
publish '-all' because sites whose users may forward mail to its final
destination there (i.e. most ISPs) should know not to check SPF.
Not doing SPF checks for mail that is going to be forwarded is just
passing the phising buck to the next hop. It could be a policy; it is not
mine, however.
SPF is about the legitimacy of a relay. You cannot pass a "neutral",
"pass", or "unknown" to the next hop, as the forwarder introduces his own
relay, with his own SPF records. Therefore, looking at it from the
perspective of the relay, the SPF record of the incoming relay is really
irrelevant with regard to forwarding (except when the incoming mail
"fails" to begin with).
But you say that you should check SPF because sites whose users may
_send_ mail to users who forward mail should know not to publish SPF.
No; I am saying forwarders should do SRS. :)
In practice it's impossible for most large sites to know
either whether they'll send mail to a forwarding address, or whether
they'll receive mail which is forwarded. Thus, one should neither
publish nor obey '-all' records, yet each of you seems to be blaming
the other end for the problem.
The forwarding "problem" is as old as SPF. In practice, however, when I do
SRS, the problem is as good as solved. Because forwarding, via, say, a
..forward file, is rarely a multiple-hop thing. Theoretically, yes, the
mail I forward could hit another .forward, at the receiving machine; so it
could be an A -> B -> C -> D thing. Of course. But that would be silly,
because a common-sense user wanting his mail forwarded, should just use
A -> C -> D, where I am C (cutting out B). And if I, as C, do SRS, then
things work. And, in practice, without the cooperation of the entire
world.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx