>
>>There are several other situations like that which push up the number of
>>lookups
>>needed.
>
>Why does *any* domain need to include another domain in its SPF
>record? The other domain is acting as a forwarder. It should
authenticate
>the sending domain just like any forwarder would. If there is some
>relationship between the sender and the forwarder, that might make the
>authentication trivial, but to anyone downstream it should look like a
>normal authentication.
I think you need to explain what definition of forwarding you are using.
MSA/MTA transmission of an e-mail after submission by an MUA is not what I
think most people mean by forwarding.
Any transport of mail through a separate Administrative Domain should be
considered a forwarding. Making an exception when the domains are
"related" leads to unnecessary complications in the protocol, and confusion
at the receiving end. The receiver has no way to know which domains are
related.
Authentication should be done by the incoming machine in each domain, the
one that has a TCP connection to a machine in the sender's domain. This
authentication should be done, even if it is a mere formality.
Authentications should not be done between machines within the same
Administrative Domain. This will only add to the clutter and confusion in
a long list of headers. The boundaries of an Administrative Domain should
not be confused by poor choice of names within a domain.
-- Dave
************************************************************ *
* David MacQuigg, PhD email: dmquigg-spf at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *