From: william(at)elan.net [mailto:william(_at_)elan(_dot_)net]
Sent: Saturday, August 20, 2005 5:19 PM
<...>
dom-oper = "dom" [ "." scope-name ] [ eq-domains-list ]
net-oper = "net" [ "." scope-name ] [ eq-domains-list ]
eq-domains-list = "(" [ domain ] [ domains-list ] ")"
domains-list = *("," domain)
It appears inherently dangerous to allow a 2821 sending domain to claim the
rights to use arbitrary domains in 2822 originator headers. Unless those
domains have to explicitly allow the 2821 domain to do this in _their_ SPF
records, any phisher can publish a record claiming the right to use ebay.com
as a 2822 originator header. Even if you did implement the requirement for
different domain usage to be declared in _both_ domain's SPF records, then
the recipient has to look up and evaluate both records. If there were a
long list of equivalent domains, this could quickly turn into an abusable
mechanism. I suggest that, as you noted, the great majority of cases can be
handled by either of the two cases you give below:
The sender equivalency would be listed as "sc.sender=ema" if email
submission rules are enforced by sender and Sender/From would be
same as MAILFROM. If submission rules are enforced on domain basis only
then the syntax is "sc.sender=dom".
Thus, I suggest that limiting this to same domain only would greatly
simplify things and prevent it from being abused. Giving the sender the
choice as to whether it applies to the whole email address, the domain only,
From: or From:/Sender: is probably enough flexibility. There might be a few
large ESP's who would like it otherwise, but I don't think it a good idea to
build an abusable protocol just to make their jobs slightly easier. After
all, they charge money for their services, and at the end of the day, a more
limited protocol would not give a competitive advantage to one ESP over
another. Just because it isn't exactly as they would prefer doesn't mean
they wouldn't go with it.
--
Seth Goodman