On Fri, Aug 26, 2005 at 09:49:02AM +0100, Dan Field wrote:
I've been following this list for some time now and have also been
investigating the other sender authentication schemes - mainly Sender-ID
(Which I do understand has major problems) and DKIM (Which is a possibility
although has its own problems).
From my point of view, and I may be wrong, does SPF have these problems and
if so what are the solutions:
- Doesn't guarantee that the message is from the actual sender when a shared
MTA is used (Which is the case most of the time for most Small/Medium sized
business I would of thought?)
There is no authentication involved if that's what you mean. SPF just
authorizes a certain host to use a certain right hand side (the domain)
in an email address. (Granted, nifty setups can also work on the part
before "@" but this isn't common).
If a domain publishes a record containing a certain host, and if that
host allows cross customer forgery, theoretically a message could still
be forged. However, given the relationship between the domain owner and
such host, there's much more chance such forgery will be dealt with than
at any other random host on the internet.
- Doesn't always guarantee the address is correct... Can Phising attacks can
gain a pass by publishing SPF for their domain, but use different headers
which will then be displayed in a standard e-mail client such as outlook.
That is correct. First things first; SPF works on the envelope.
If a mail client is foolish enough to verify the envelope and then present
the result as if the body was checked, that is a problem in that client, not
in SPF.
- Only useful for FALSE results - i.e.: the sender is forged? So if a pshiser
publishes valid SPF for his domains he can gain a pass... I suppose this is a
benefit in that it is easier to blacklist said spammer.
A PASS result from a spammer domain is very useful. Indeed, blacklisting
comes to mind. PASS does not mean you want to receive an email, it just
means the domain is not forged.
One example of being useful: When a PASS is received, it is OK to send
stuff like out-of-office replies, non-delivery receipts and such. When
a FAIL is received, it is not.
- Forwarding caused problems unless SRS or some other re-writing is employed?
Not really.
Forwarding is only a problem when the forwarder forges the "mail from"
domain. This is under debate very often. A message _is_ received by
the intended recipient. If that recipient decides a message should be
routed, it is internal routing (as far as the sender is concerned).
Internal routing should not be subject to SPF checking. Forwarders
are under control of the recipient, not the sender. It is the recipient
that should handle this case.
I do understand that SPF is not an anti-spam solution, but a step in helping
decide what is spam or forged e-mail, but do have concerns about how
sucessful it can be in that area.
It does NOT help to decide what is spam. However, as spam often uses
forged addresses, SPF may certainly reject spam from time to time.
Alex