spf-discuss
[Top] [All Lists]

Re: Redefine Received-SPF: slightly.

2004-12-05 10:28:42
----- Original Message ----- 
From: "Mark Shewmaker" <mark(_at_)primefactor(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, December 04, 2004 10:16 AM
Subject: [spf-discuss] Redefine Received-SPF: slightly.

Seemingly-unscoped spfv1 implicitly merges MAILFROM and HELO scopes.

The historical reason/excuse for the merged scopes is, (as I understand
it), that if your purpose is to test incoming mails' MAIL FROM values,
there's a bit of a hole in the process if you get a bounce with "MAIL
FROM:<>" and have nothing to test against, so we test against the HELO
argument instead, using the very same record.

The "standard" way of doing things has been to limit the SPF record for the
HELO name to "v=spf1 a -all" (as if it were a primitive form of CSV). One of
the good things about SRS, however (and SES for that matter) is that, when
configured as such, they come with a built-in protection against bounce
forgeries. Then it is not so much a matter of authorization at MAIL FROM:,
but one of possible rejection at the RCPT TO: command. Which, if you look at
it that way, frees up HELO for other purposes. :) Implementors of SRS/SES
have the advantage, here.

- Mark

        System Administrator Asarian-host.net

--
"If you were supposed to understand it,
we wouldn't call it code." -- FedEx