From: Stuart D. Gathman [mailto:stuart(_at_)bmsi(_dot_)com]
Sent: Wednesday, August 17, 2005 2:22 PM
This is actually a good idea. It could be called 'Sender-ID Lite'.
Thanks. Let's see how it holds up to criticism. If I were a marketer, I'd
call it SPF-Pro (and charge extra for it). Fortunately, I'm not. Perhaps
this discussion can influence how SPF2 develops.
Question: do we require an *exact* domain match? What about
MAIL FROM <foo(_at_)mx1(_dot_)bar(_dot_)com> and From:
Couldn't you start with an easy question?
My first reaction is that the two domains ought to be the same. The
justification is that Sender: is supposed to be the originator if the
originator is not listed in From:. That's the originator, not someone
related to the originator. If mx1.bar.com is the originating domain, then I
believe it belongs in Sender:. If we allow flexibility here, things could
get complicated. mx1.bar.com and bar.com don't necessarily share an SPF
record. If they didn't, we would have to do an additional SPF check, and
that check would be against a 2822 identity. That, in turn, could create
the need for an additional SPF record or scoping requirements in the
original SPF record.
This is simplest if we can keep the two domains identical. There is no need
for scoping or any additional SPF records. There is also no IPR
infringement. We do the SPF check on the MAIL FROM domain, and if it
doesn't fail, we make sure that domain appears in the 2822 headers. Doesn't
sound much like SID to me.
I will start doing your proposed check in pymilter and logging possible
forgeries. This should give us an idea of how feasible it is.
Nothing beats real data. Outside of automated systems that are
misconfigured, the failure mechanism would be MUA's that allow you to set a
different return-path than From:. This could be fixed in the MSA by adding
Sender: when this is detected. Since MSA's are also gateways between
private networks and the internet, they are also classified as gateways.
Gateways are encouraged to make the headers comply with the transport system
into which they are injecting the message, so adding a Sender: header would
appear to be in scope.