spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Problem with SID

2005-06-22 21:18:00
from [Scott Kitterman] [Permanent Link] 
...... Original Message .......
On Wed, 22 Jun 2005 23:09:04 -0400 "Dick St.Peters" 
<stpeters(_at_)NetHeaven(_dot_)com> wrote:

Stuart D. Gathman writes:

But all of the "forwarding problem" sob stories in spf-discuss I can
recall have been about attempting to check SPF for mail from your own
MX servers - an obvious misconfiguration.


I can't comment on what stories you might have seen, but you
completely misunderstood what I said.  The forwarding problem has
nothing to do with SPF checking of one's own MXs, and exactly none of
the SPF forwarding issue discussion I've seen over the last year has
involved such internal relaying.  (Anybody inept enough to apply SPF
checks during their internal relaying should have someone else
handling their email.)


1 of the 2 legitimate messages of mine that have been rejected due to SPF 
have been rejected by an internal relay (one company bought another, old 
border MTA became an internal relay.  This does come up on spf-help and in 
the submissions to the SPF site.


Trying one more time to explain what the problem actually is, we begin
with JaneDoe(_at_)aol(_dot_)com sending mail to an address in domain 
example.com
for which I do email processing.  Whether I do any SPF checking is
irrelevant to the forwarding problem.  (I do SPF checking, SID/PRA
checking, and DomainKeys verification, but none of that matters.)

What do matter are that I receive the mail for example.com and that my
user wants it relayed to his account at BigIsp.com.  This has always
been easy, and I do it for a bunch of domains.

When BigIsp.com turns on SPF checking, the mail I'm trying to relay to
my user at BigIsp.com is seen by BigIsp.com as mail with an @aol.com
MAILFROM coming from my server.  SPF rejects the mail that my user has
paid me to relay and has paid BigIsp.com to receive.


BigIsp should talk to their customers first and give them a way to 
whitelist you.


SPF doing what it's supposed to do breaks this very common forwarding
of mail.  THAT is the forwarding problem.

To flesh out why mail forwarding is common, in a typical scenario
example.com would involve multiple users receiving mail at addresses
in the same example.com domain while using a variety of destination
email accounts at a variety of providers.


Sure.  But there are only two ways to interpret the situation - 

1. Two networks - Sender's/Reciver's - Trust transition is at your MTA.  
That's the ONLY SMTP exchange for which SPF can be checked.  

2.  Three networks - Sender's/Reciver's/Forwarder's - Trust transitions are 
both sender to you and you to BigIsp.  In this case it's inappropriate for 
you to re-use sender's envelope. So, as you do, one should do SRS.

As long as BigIsp does SPF sensibly, there is no forwarding problem.

BTW, if any of your BigIsp are Hotmail, best read up on SenderID.

Scott K
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Problem with SID, Scott Kitterman <=
Previous by Date:  Re: Problem with SID, Stuart D. Gathman
Next by Date:  Re: Problem with SID, Stuart D. Gathman
Previous by Thread:  Achilles heel of SPF, Stuart D. Gathman
Next by Thread:  Who's Using SPF, Michael . Phillips
Indexes:  [Date] [Thread] [Top] [All Lists]