On Fri, Aug 26, 2005 at 10:34:28AM +0100, Dan Field wrote:
If a mail client is foolish enough to verify the envelope and then present
the result as if the body was checked, that is a problem in that
But would the majority of e-mail clients in operation today show the
incorrect from address in a case of a forged address (Where the
spammer/pshiser has SPF for his envelope address but then alters the headers)?
With or without SPF, mail can use different "mail from" (envelope) and
"from" (header) addresses. Spammers make use of this, for example to
send mail from yourself to yourself.
Current email clients that do not use the SPF result will not change
the way they display headers, SPF present or not. But email clients
that are modified to use the SPF result should do it right. If a client
is modified to use SPF and if a client is foolish enough to tell the
user the address is verified, it should display the verified address
and not some other, random, address.
In other words: current email clients do not benefit from SPF but also
they won't do any wrong. SPF-aware clients shouldn't do the wrong thing.
Forwarding is only a problem when the forwarder forges the "mail from"
domain. This is under debate very often. A message _is_ received by
the intended recipient. If that recipient decides a message should be
routed, it is internal routing (as far as the sender is concerned).
Internal routing should not be subject to SPF checking. Forwarders
are under control of the recipient, not the sender. It is the recipient
that should handle this case.
I know there are alot of arguments around this area, and I must say I do
think it is a problem for the adoption of SPF
I can live with that. Just don't say it is a problem of SPF :)
Seriously: you are right, forwarders are a problem, almost everybody agrees.
It is just that some people think SPF causes the problem while others think
SPF only makes the problem visible.
Come up with a good way to distinguish white-hat forgers (aka forwarders)
and black-hat forgers (aka spammers and/or phishers) and who knows what happens.