spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF Forwarding Scenario

2005-04-09 12:24:51
from [Stuart D. Gathman] [Permanent Link] 
On Sat, 9 Apr 2005, Commerco WebMaster wrote:


Given the txt records listed above, if the final receiver's MTA implemented 
SPF properly, would it be able to realize that domain.tld would not forward 
via spammer.tld and thus would avoid making an attempt to deliver to a 
local user at 10.111.111.1 and not bounce from their end back to 10.10.10.4?


Short answer: No

Long answer:

Normally, "Forwarder" refers to an alternate email address setup by the
recipient, which forwards mail to another mailbox.  The setup you described
is an "SMTP service" for the sender.  If the SMTP service has no restrictions
on who can relay mail through their service (open relay), then you would be
better off with no SPF record at all - and most of the world will have that
service blacklisted, so good luck sending mail.  If the SMTP service is not an
open relay, then they will have some controls on who can relay: perhaps only
allowing authorized IPs, or perhaps requiring SMTP AUTH.  In that case, the
spammer would
NOT be able to relay through the SMTP service.

To round out the discussion, suppose there is a real forwarder set up
by the recipient.  This forwarder must check SPF before forwarding anything,
or else any mail sent to the forwarded address can forge any sending domain.
If the recipient checks SPF, and the forwarder publishes SPF, and rewrites
the MAIL FROM with SRS, this confirms that the mail really came from the
forwarder.  It does not, however, verify the original domain.  The forwarder
should have done that.  If a forwarder does not publish SPF, then the
recipient can trust that forwarder based on IP address, HELO name, or
whatever the forwarder provides that is verifiable.  But if the forwarder
does not check SPF, then mail to the forwarded address can still be forged.

In some cases, it is possible for the recipient to sort of check SPF
based on the Received header from the forwarder.  However, this is subject
to all the problems associated with "after SMTP" SPF checking.

Duh - I am tired of seeing critics point out that SPF is broken because
mail can be forged if a forwarder doesn't check SPF.  It doesn't help
that the supposed poster child for SPF forwarding - pobox.com - doesn't check
SPF by default.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SPF Forwarding Scenario, Commerco WebMaster
Next by Date:  SPF Softfail, Cyril Porseland
Previous by Thread:  SPF Forwarding Scenario, Commerco WebMaster
Next by Thread:  Re: SPF Forwarding Scenario, Commerco WebMaster
Indexes:  [Date] [Thread] [Top] [All Lists]