spf-discuss
[Top] [All Lists]

Re: SPF implementations

2005-08-13 07:16:53
Dennis Willson wrote:

Isn't using SPF on the "From" address an acceptable use of
SPF?

It's NOT RECOMMENDED in the spec., because it won't work in
many cases.  E.g. this reply should have From: nobody(_at_)xyzzy,
and you'd get a FAIL if you test it, because my sender policy
doesn't cover the IPs of this mailing list.

If you take the Return-Path (v2.listbox) you'd get a PASS.

Sender-ID would pick the Sender instead of the From, that
happens to be the same as the Return-Path for this mailing
list, and therefore it should also work.

The serious trouble starts if From, Sender, and Return-Path
are all different.  Or if From and Return-Path are different,
and there is no Sender.  If you then pick whatever you like
and test it against v=spf1 you'd get wrong results.  Often
it will _apparently_ work - you'd catch that PayPal phish -
but not generally, you'd delete legit mails together with
the phishing crap => NOT RECOMMENDED.

                         Bye, Frank