spf-discuss
[Top] [All Lists]

RE: Should I include major ISPs in SPF for our hosted domains?

2005-01-06 19:10:25
Stuart D. Gathman [stuart(_at_)bmsi(_dot_)com] wrote:
On Thu, 6 Jan 2005, Julian Mehnle wrote:
I do see two options for how to prevent cross-customer forgery
technically:

 1. Notice the SMTP-AUTH identity.  Receive the message including its
headers, and see if "From:"/"Sender:" matches the SMTP-AUTH identity.
If not, reject the message after DATA.

I disagree.  The ISP should simply compare the MAIL FROM domain with
a list of domains allowed for that SMTP-AUTH identity, and reject/alter
if not included.  No checking of 2822 headers should occur at the SMTP
level. Especially so, since this is the SPF group and not the Sender ID
group.

Oops, you're absolutely right, of course.  I don't know how I could have
mixed up RFC 2821 and 2822 identities.  It must have been a hard day...

I meant:

 1. Notice the SMTP-AUTH identity.  See if MAIL FROM matches the SMTP-AUTH
    identity.  If not, reject the MAIL FROM.

 2. Notice the SMTP-AUTH identity.  See if MAIL FROM matches the SMTP-AUTH
    identity.  If not, simply override MAIL FROM with an e-mail address
    that is appropriate for the SMTP-AUTH identity.

Thanks for correcting me.


<Prev in Thread] Current Thread [Next in Thread>