On Thu, 24 Feb 2005, David MacQuigg wrote:
7.2 The Received-SPF header
It is RECOMMENDED that SMTP receivers record the result of SPF
processing in the message headers.
Why only RECOMMENDED? It seems like this will be a MUST for
forwarders. How else can they convey they results of their authentication
downstream? Where is there any discussion of procedures for forwarding
email, like how bounces should be handled?
If a forwarder rejects SPF fail, then Received-SPF is not absolutely
necessary for a forwarder - they don't need to convey the results
downstream. Bounces are handled the way they always have been.
Several concrete options have been provided for forwarders with
varying degrees of change required and transparency to end recipients.
In all cases the forwarder should check SPF and reject spf FAIL
before forwarding.
1) do nothing. The recipient whitelists the forwarder. Since envelope
is unchanged, bounces go to the sender prior to the forwarder.
2) do one of several SRS flavors. The recipient doesn't need
to treat the forwarder specially. Bounces go to the forwarder,
then to the prior sender.
In neither case does the recipient do anything special with bounces.
They simply go to the return path (MAIL FROM) as always.
If the forwarder for some inscrutable reason decides not to check SPF
(e.g. pobox.com), then the recipient can still recover by using the
last Received header (presumably the forwarder can be trusted to get
that much right) and doing SPF themselves. This is, of course,
not at all transparent and a huge pain for the recipient (especially
if the forwarder does SRS without doing SPF since the SRS must
now be unwrapped) and they would be advised to use a different forwarder.
However, SpamAssasin is capable of doing "after the fact" SPF using
the Received header from a trusted forwarder.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.