...... Original Message .......
On Thu, 31 Mar 2005 20:05:01 -0700 David MacQuigg
<dmquigg-spf(_at_)yahoo(_dot_)com>
wrote:
Sorry for getting into the forwarding issue here, but it is unavoidable in
the discussion of DNS lookups.
At 12:36 AM 4/1/2005 +0100, Chris Haynes wrote:
In simple cases, that need only involve a single look-up. The multiple
look-ups
usually arise if you have a Mail From domain who uses a different domain's
servers to send its mail. Almost all small/medium business and 'vanity'
domains
are in this situation.
But these small domains are almost all *not* wanting to operate their own
public mail servers, maintain their own DNS records, etc. They just want
to forward their mail through their ISP.
They use an ISPs outbound mail servers. Now those ISPs
are not going to commit to using a stable set of servers for this
(defined by
their numeric IP), so, for sensible change-control your small domain
'includes'
the ISP's record, which is then fetched at run-time by the receiver, so
it is
known to be the current list used by the ISP.
A more efficient arrangement is for the ISP to act as a normal forwarder,
and *authenticate* the small domain, then *authorize* its own mail
servers. This avoids the need to look up included records from another
domain.
There are several other situations like that which push up the number of
lookups
needed.
Why does *any* domain need to include another domain in its SPF
record? The other domain is acting as a forwarder. It should
authenticate
the sending domain just like any forwarder would. If there is some
relationship between the sender and the forwarder, that might make the
authentication trivial, but to anyone downstream it should look like a
normal authentication.
I think you need to explain what definition of forwarding you are using.
MSA/MTA transmission of an e-mail after submission by an MUA is not what I
think most people mean by forwarding.
Scott Kitterman