spf-discuss
[Top] [All Lists]

RE: Explain please (Was: SPF Stats)

2005-07-06 08:42:59
On Wed, 2005-07-06 at 09:22 -0600, Commerco WebMaster wrote:
Okay.  Let's try working through the process to see if the issue can 
be resolved.

The receiving MTA at the ISP managing the virtually hosted domain 
gets a message from a sender MTA where the original MAIL FROM: domain 
holder has an SPF record protecting their domain.  Presumably the 
receiving MTA also checks for same to discover that the original 
outbound server from that MAIL FROM: domain is valid.  So far so good.

That ISP MTA forwards its message onto another MTA, placing its own 
stamp on the message header and connects to another or the final 
target MTA, the intended recipient's MTA.  Now then, would not it be 
prudent for the final recipient's MTA to look at where the message 
came from?  In other words, wouldn't the recipient's MTA know the set 
of MTAs that it would allow to send forwarded messages from their own 
ISP by simply checking that ISPs SPF record at connection time?  Say 
they forward through more than one forwarder.  Is it really that much 
of a burden on the final recipient MTA to check the incoming 
connection to make sure it is really an authorized forwarder to the 
final recipient's MTA for even several forwarding MTAs?

Yes. It's that much of a burden. The problem isn't really even tractable
at the moment. You can't use the SPF record for the 'forwarding' domain;
will list the _outgoing_ mail servers for the domain, rather than the IP
addresses which its MX hosts may end up using for forwarded mail.

That's even assuming that you can reliably force your users to list all
such forwarding domains, which was a leap of faith in the first place.

And perhaps that should be true in all cases, but those where the 
forwarders are known and trusted by the MTA receiving the forwarded 
message.  After all, the receiver should logically be able to know 
their allowed and trusted forwarders.  A sender cannot know the 
recipients forwarders as it just sends to the MX it finds in DNS 
(which for your example should be the ISP's MTA), but the final 
recipient's MTA certainly should.

No. Again you miss the point. The forwarding sites have nothing to do
with _either_ the sending or receiving domains. The admin at my ISP has
_no_ way of knowing how many of the thousands of forwarding services out
there may be forwarding to his users.

It just isn't practical in the general case for a receiving site to know
the IP addresses of all the potential forwarding hosts.

-- 
dwmw2


<Prev in Thread] Current Thread [Next in Thread>